Comment on page
🕸
Immunefi Bug Bounty
Bug Bounty program
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
All Critical Smart Contract bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. In addition, all Critical severity bug reports must come with a suggestion for a fix in order to be considered for a reward.
Rewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 50 000 for Critical smart contract bug reports.
Rewards for high smart contract vulnerabilities are further capped at 20% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 5 000 for High smart contract bug reports.
Known issues highlighted in the following audit reports are considered out of scope:
https://docs.magpiexyz.io/security/audit-reports
Payouts are handled by the MagpieXYZ team directly and are denominated in USD. However, payouts are done in USDC and BUSD.
Last modified 9mo ago