Standard Rules - Prohibited Activities

These activities are commonly prohibited by bug bounty programs. If you would like to exclude other activities, explicitly include them in the onboarding form.

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Disassembly or reverse engineering of binaries for which source code is not published, not including smart contract bytecode
  • Public disclosure of an unpatched vulnerability in an embargoed bounty

An embargo period is a fixed period of time from when a bug is reported to when a bug reporter can publicly disclose it. Bug reporters must not publicly discuss or disclose the presence or details of a bug during the embargo period. Once the embargo period is over bug reporters will be free to publicly discuss and disclose the details of the bug they’ve found and any proof-of-concept exploits that they may have written to validate the bug.

Public disclosure is important to bug reporters’ reputations (some may wish to present their work at conferences) as well as to maintain confidence that the Immunefi platform does pay out its bounties.