Largest Web3 bug bounty platform. Hosts always-on programs for hundreds of protocols across EVM, Solana, Cosmos, and others, with a standardized severity classification and PoC requirement for all submissions.
- 01post-deployment continuous coverage
- 02high-ceiling rewards for critical bugs
- 03bridging launch audits to ongoing security
- 04whitehat triage and disclosure workflow
- 05publicly verifiable bounty commitments
- # No package — set up a bounty at https://immunefi.com/bug-bounty/launch
- # Researchers: dashboard at https://bugs.immunefi.com
Use Immunefi to run an always-on bug bounty after launch. Define scope (contract addresses + commit hash for source-mapped review), assets at risk, severity caps (commonly 10% of funds-at-risk capped at the program max for Critical), and exclusions. Whitehats submit reports with a mandatory runnable PoC; Immunefi's triage team validates against the Vulnerability Severity Classification System v2.x and routes to the protocol team for fix. Critical-severity payouts require KYC against an external provider before release. Publish the bounty publicly on immunefi.com to maximize whitehat attention.
- ⚑Severity classification follows Immunefi's VSCS, not CVSS — a 'Critical' on Immunefi means direct loss of user funds; protocol-design issues without on-chain impact are typically out of scope.
- ⚑PoC is mandatory for every severity tier — reports without a runnable exploit are routinely closed as informational, even if the bug is real.
- ⚑KYC is required for Critical payouts (some programs require it for High too); some programs offer a reduced bounty (e.g. 70%) for non-KYC reports, others reject them outright.
- ⚑Scope must list exact contract addresses or commit hashes — proxies pointing to non-listed implementations are a frequent dispute point; specify upgrade behavior explicitly.
- ⚑Bounty caps are often denominated in USD with a token-price-at-disclosure rule — protocols should fund a USDC/stable buffer to honor payouts during volatility.
- ⚑Programs running in 'Boost' mode have time-limited prize pools and looser scope; do not confuse with the always-on bounty when reporting.