Immunefi

Immunefi is introducing an enhanced Responsible Publication Policy, in order to provide clarity about the degree to which non-public information regarding bug bounty programs and bug reports may be discussed publicly.

Our Responsible Publication Policy now allows Project Owners to select from three distinct publication categories.

Important: projects that have selected a Responsible Publication category will have that category listed in the Program Overview section of their bug bounty program. See Reserve as an example. This category determines what whitehats are allowed to publish about their bug reports, how, and when.

Projects that do not have Responsible Publication mentioned in the Program Overview section adhere to the Legacy Publication Policy.

Legacy Publication Policy

Whitehats may publicize their bug report once the bug has been fixed and paid.
Whitehats may publicize bug reports that the project has closed as being out of scope or not needing a fix.
Whitehats may publicize their bug report if the project has not resolved their submission after 90 days from the time of escalation despite requesting mediation, unless a mediation process is still ongoing.
Whitehats may not publicize bug reports that Immunefi has closed as being out of scope.
Whitehats may not publish information about bug reports during the mediation process.
Whitehats may not publicize duplicates or known issues.

Some projects on Immunefi have Legacy Publication Policies that prohibit publishing any bug report information without consent from the project. Those conditions are clearly stated in those bug bounty programs.

Legacy Publication Policies will be phased out during 2023. At that time, all projects on Immunefi will have a Responsible Publication category selected in their bug bounty programs, and this change will be publicly announced on social media and this page.

If you're unsure about your publication rights, ask Immunefi in your bug report!

Responsible Publication Policy

The following Global Standards apply across all Publication Categories.

All bug reports must be fixed and paid before being published, unless it meets an exception set out in the Global Standards or the relevant Publication Category.
Whitehats may not publish information about bug reports rejected as being a duplicate or known issue.
Whitehats may not publish information about bug reports during the mediation process.
Whitehats may not publish information about bug reports that Immunefi has closed as out of scope.
If Immunefi is requested to mediate a bug report and Immunefi’s Mediation Summary differs from that of the project, and the project chooses to disregard the Mediation Summary regarding validity, severity, and/or recommended minimum payout amount, then the whitehat may publicly disclose information about the report without restriction, assuming the bug is fixed.
Bug report intellectual property remains with the whitehat. Right of publication, however, is determined by whichever publication category the project chooses.
For the sake of clarity, all parties (Whitehat, Project Owner, and Immunefi) shall abide by the applicable publication category for each bug bounty program.
Nothing in this Responsible Publication Policy modifies in any way Immunefi’s right to collect and make use of anonymized information regarding bug bounty programs and bug reports.

Projects have three different publication categories to choose from, and their selection is implemented in the text of their bug bounty programs in the Program Overview section under the heading called 'Responsible Publication'.

Responsible Publication Categories

Publication Category 1: Transparent

Whitehats may publish information about their fixed and paid bug reports. It is strongly recommended that Whitehats send any publication they make to projects for review in the bug report submissions thread, but it is not mandatory.
Whitehats may publish information about reports that have been closed by projects as not warranting a fix or out of scope.
Whitehats may publish information about reports that have not been resolved within 90 days of escalation, provided a mediation process is not ongoing.
The terms laid out in the Global Standards above also apply to this category.

Publication Category 2: Notice Required

Whitehats may publish information about their fixed and paid bug reports provided that they give projects 21 days to review and provide input about the publication in the bug report submission thread before they publish.
The notice requirement does not apply to Whitehats publishing information about payment amount, severity, or high-level classification of the bug type (e.g. reentrancy), as long as they do not mention or indicate the project to which it was reported.
The notice requirement does not apply to Whitehats publishing information about reports that have been closed by projects as not warranting a fix or out of scope.
The notice requirement does not apply to Whitehats publishing information about reports that have not been resolved within 90 days of escalation, unless a mediation process is ongoing. In those instances, the Whitehat may disclose information pertaining to that bug report without restriction.
The terms laid out in the Global Standards above also apply to this category.

Publication Category 3: Approval Required

Whitehats may not publish information about their fixed and paid reports unless the project provides written consent in the bug report submission thread.
This restriction no longer applies to reports that have not been resolved within 90 days of escalation, unless a mediation process is ongoing. In those instances, the Whitehat may disclose information pertaining to that bug report without restriction.
The terms laid out in the Global Standards above also apply to this category.

How Do I Know When I Can Actually Publish?

We want to give greater choice and flexibility to projects to choose Publication Categories that are right for them, but we also want to make things clear for whitehats. The table below will give you a clearer idea of your rights under Responsible Publication.

Can I publish?	RP Category 1	RP Category 2	RP Category 3	Legacy
Fixed and paid report	Publish at will	21-day Project notice/review	Project approval required	Publish at will
Duplicate/Known Issue	No	No	No	No
Closed by project as out of scope/no fix	Publish at will	Publish at will	Project approval required	Publish at will
Closed by Immunefi	No	No	No	No
Immunefi Mediation Summary differs from Project and Project does not accept	Publish at will	Publish at will	Publish at will	Publish at will
Report not resolved within 90 days of escalation, unless mediation is ongoing	Publish at will	Publish at will	Publish at will	Publish at will

Once you've gotten an answer from this table, make sure to cross-reference it with the terms of the relevant Publication Category.

How Do I Know What I Can Actually Publish?

When you meet conditions for publishing, you are allowed to publish:

Your initial bug report submission
Immunefi's Mediation Summary in the bug report thread
A summary of the Project's response(s)

Can I Publish Screenshots Of My Paid Report?

Category 1: you can immediately publish a screenshot of the payout amount, severity, and project name.

Category 2: you can immediately publish a screenshot of the payout amount and severity. But if you want to mention the project name and/or write about the details of the bug report, you have to give the project a 21-day review period first in the Immunefi Dashboard.

Category 3: you can immediately publish a screenshot of the severity of the report, but not the payout amount or project name. You must get explicit permission from the project in the Immunefi Dashboard to write a bugfix review or post any other information anywhere about the bug report.

What if I'm allowed to publish but the project fails to confirm that they've fixed the report or are taking too long to fix it, which means I can't publish?

If a bug report has been paid, but the project fails to state that a fix has been implemented after the whitehat inquiries about the fix status, the whitehat may go public 60 days after making the inquiry. The whitehat should inform the project of this timeline.
If the project explicitly states that the bug isn't yet fixed or isn't going to be fixed, the whitehat cannot go public with the bug report.

What If I Break The Rules?

Violating the Legacy or Responsible Publication Policies merits a final warning at minimum or a permanent ban and could result in the loss of your bug bounty reward for the report in question and the closure of all other reports.

If you ever have any questions about Responsible Publication, don't hesitate to ask Immunefi in your bug report submission or email [email protected]

We're happy to work with you to figure out how you can celebrate your bug bounty win.