Immunefi has a set of rules that govern users' participation in its bug bounty platform and interaction with Immunefi-run spaces and team. These rules exist in addition to the rules for each bug bounty program, which are listed on each bug bounty program page. Violation of these rules can result in a temporary suspension or permanent ban from the Immunefi platform at the sole discretion of the Immunefi team, which may also result in the forfeiture of any active bug submissions under consideration and zero payout. These rules can be changed at any time.

Prohibited Behavior

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets. Testing on mainnet or public testnet is grounds for an immediate and permanent ban
  • Misrepresenting assets in scope: claiming that a report impacts/targets an asset in scope when it does not
  • Automated testing of services that generates significant amounts of traffic
  • Exploiting/attacking or threatening to exploit/attack a project on Immunefi
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Harassment, i.e., excessive, abusive, or bad faith communication
  • 'Beg bounty' behavior, i.e. begging for a bounty reward that is not owed to the whitehat based on the terms of the bug bounty program
  • Attacks based on personal characteristics
  • Threats of violence
  • Threatening to publish or publishing people’s personal information without their consent
  • Extortion/blackmail or threats of extortion/blackmail
  • Posting illegal content
  • Reporting a bug that has already been publicly disclosed
  • Creating multiple accounts on the Immunefi platform
  • Underreporting vulnerabilities
  • Misrepresenting vulnerabilities
  • Publicly disclosing a bug before it has been fixed and paid
  • Publicly disclosing a bug report before 30 days have elapsed since the project closed the report as being out of scope or not requiring a fix
  • Publicly disclosing a bug deemed to be a duplicate or well-known to the project
  • Placeholder bug submissions, i.e., bugs that have a vague title, very few details, and no reproducible steps
  • Submitting a bug report that is not substantially your own (co-submitting with another hacker with their consent is permitted)
  • Submitting spam/very low quality bug reports and submitting information through our platform that is not a bug report
  • Routing around Immunefi and communicating with a project directly
  • Submitting bugs via email or any channel other than the Immunefi bugs platform
  • Submitting fixes to a project's repository without their express consent
  • Unauthorized disclosure or access of sensitive information beyond what is necessary to submit the report
  • Promoting any behavior listed above

Behavioral Code

  • Be ethical
  • Be respectful and considerate
  • Be professional
  • Be patient
  • Be privacy conscious

Scope and Enforcement

The team will take all reasonable actions to ensure the successful execution of Immunefi's mission and the maximum effectiveness of the project.

All material in official project spaces is subject to the rules, and as such, can be deleted, modified, or rejected by the team if it is found to be in violation of the rules. In repeated or severe cases, the team may exclude users from the Immunefi bug bounty platform and/or its project spaces on a temporary or permanent basis.