Responsible Publication Guide

This page wizard was designed to quickly and easily inform security researchers about whether they can publish their bug reports and what they can disclose. By the end of this process, which should not take more than 5 minutes, you will have a clear answer.

Based on the following questions and answers, click through the links that fit your situation, and you’ll be led to a clear answer.

If your bug report is related to a Boost, invite-only program (IOP) or Attackathon, you cannot disclose anything about your bug reports until Immunefi posts the program’s results, which includes the raw bug reports. After that, you are free to disclose information as per here. Note that some IOPs prohibit the publication of any bug reports. Please see the relevant IOP program page for more details.

Is the report

Confirmed & Paid?

Closed?

Not resolved after 90 days & currently not under mediation?

Project disagreed with Immunefi mediation summary?

A duplicate or known issue?

Did the project fix the bug?

Yes

No

Did Immunefi close the report?

Yes

No

Was the report closed as Out-of-Scope / No fix?

Yes

No

What disclosure category is the program? (found in project BBP page)

Category 1

Category 2

Category 3

Legacy*

*Programs that do not specify any category are under Legacy policy

You can disclose this report.

You are allowed to publish:

  1. Your initial bug report submission
  2. Immunefi’s mediation summary in the bug report thread
  3. A summary of the Project’s responses.

You can also disclose a screenshot of the:

  1. Payout amount
  2. Severity
  3. Project Name

We recommend you send any publication you make to projects for review in the bug report submission thread, but it is not mandatory.

You can disclose this report after confirming the fix.

Please message directly in the report timeline to confirm the bug was fixed before publishing details about your report.

Did the project confirm the fix?

In the meantime, you are free to disclose a screenshot of:

  1. Severity (all categories)
  2. Payout amount (Category 1 and 2)
  3. Project name (Category 1 and category 2 with a 21-day notice)
    1. If the program is under category 3, you need explicit permission to disclose the payout amount and project name in your screenshot

If the project fails to confirm that it has fixed the report or is taking too long to do so, please contact Immunefi for help.

For full bug fix reviews, you can disclose after a 21 days notice/review from the project.

Did the project provide their review or has 21 days passed since your notice?

Was the report closed a Out of Scope/No fix?

In the meantime, until receiving the review, you can disclose a screenshot of:

  1. Payout amount
  2. Severity

Please message directly in the report timeline that you will be disclosing the report.

You need project permission to disclose this report.

Please message the project directly in the report timeline to receive permission to disclose this report.

Did the project provide their permission to disclose the report?

In the meantime, you can disclose a screenshot of the severity.

However, you cannot disclose the payout amount or the project name unless you have explicit permission from the project in the report on Immunefi. If you wish to write a bugfix review or post any other information, reach out to the project on the report on Immunefi.

You cannot disclose this report.

Unfortunately, you are unable to publicize any information about this report.

If ever you have any other questions or need clarity about Responsible Publication, please contact Immunefi.