Immunefi Bug Bounty
Bug Bounty program
Last updated
Bug Bounty program
Last updated
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
All Critical Smart Contract bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. In addition, all Critical severity bug reports must come with a suggestion for a fix in order to be considered for a reward.
Rewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 50 000 for Critical smart contract bug reports.
Rewards for high smart contract vulnerabilities are further capped at 20% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 5 000 for High smart contract bug reports.
Known issues highlighted in the following audit reports are considered out of scope:
https://docs.magpiexyz.io/security/audit-reports
Payouts are handled by the MagpieXYZ team directly and are denominated in USD. However, payouts are done in USDC and BUSD.
