Bug bounty hunting in web3 can be tough; if you’re looking to report a bug on a blue-chip protocol for a Crit payout, you better come prepared. Here’s a list of 10 resources you should use to up your bug bounty reporting skills. 💪
Disclaimer: this is not a generic “follow @X for security tips”. I will be highlighting our very own underrated content that will elevate your whitehat game by understanding ALL of our rules and support your submissions towards that $1m+ payout.
1- Confused as to how you can best prove your point to protocols and get out of the “theoretical” report zone? Check out our Proof of Concept (PoC) guidelines and rules for web2 & web3 and create the best PoC out there: immunefisupport.zendesk.com/hc/en-us/artic…
2- Think your report is being low-balled/closed unfairly despite proving the value-add in your report for an out of scope asset? You can find this in our Projects’ FAQ: head over to our “Primacy of Impact Policy and Best Practices” to prioritize impact: immunefisupport.zendesk.com/hc/en-us/artic…
3- Found a bug in a third party library or software used by the project? Learn about our external dependency policies to know exactly what can be considered a valid bug report and what may be classified as out of scope: immunefisupport.zendesk.com/hc/en-us/artic…
4- Are you starting out on Immunefi? Read our Hacker Guide on submitting bug reports! Our article highlights why you should hunt for web3 bounties, when to aim for the big bounty vs the low vulnerability exploit, project response times, etc. medium.com/immunefi/a-hac…
5- On the topic of starting off, “Your First Day as a Bug Bounty Hunter” is a great article showing you a step-by-step guide on how to get started on Immunefi and navigating our platform: medium.com/immunefi/your-…
6- Nothing beats a top-notch report. Find out what you should include in your submissions to maximize your chances at a reward by reading our bug report template article and make sure you have all the right elements before pushing that “submit” button: immunefisupport.zendesk.com/hc/en-us/artic…
7- Unsure about which severity your exploit/bug/vulnerability falls under? Look no further than Immunefi’s Severity Classification System which comes with brief explanations for each vuln as well: immunefisupport.zendesk.com/hc/en-us/artic…
8- This may sound simple, but due to the nature of our industry, we take rules very seriously. If you hunt on Immunefi, you better know our rules like the back of your hand to be successful and avoid getting warned or banned!
9- Learn about what advice and knowledge our community of elite hackers are posting through our #learn-blockchain-hacking channel in our Discord; the knowledge sharing is insane.
10- Want to hone your technical skills? You can find everything you need to know about security, from blockchain concepts, tools, frameworks, hack analyses and much more in the Immunefi Learn Github Repo curated by our very own @arunim_shukla
With this list, you have all the right tools to succeed in Immunefi, back up your report with solid claims, and use our rules to your advantage. Remember: knowledge is power, and a powerful bug bounty hunter can accomplish great things and make serious money. 😎
• • •
Missing some Tweet in this thread? You can try to
force a refresh
1/22 Fact: Whitehats have received 70 MILLION+ dollars in bounties via @Immunefi. The top whitehat has earned over $13 million in just 4 reports. To those of you who haven’t yet made much on Immunefi despite hearing about whitehats earning crazy payouts, this thread is for you.
2/22 Bug bounty hunting is a serious game, and must be treated as such. Projects receive countless reports every day that they have to review. Here are 5 ways you can increase your chances at standing out and getting your reports paid.
3/22 Quick debrief on who I am before we start: I am an Account Coordinator, meaning I’m part of the team that communicates with you and projects to make sure reports get resolved in a timely manner. I see countless reports every day, so I know what works and what doesn’t.