Immunefi rolled out a new rule under which participating programs clients request to be someonewhat protected for vulnerabilities that aren t in the list of assests that can be investigated
Please change the bug bounty program to include this new rule What Is Primacy Of Impact?. Introduction | by Immunefi | Immunefi | Medium.
Disclaimer: I found a bug on a deployed Insdapp Ethereum, contract allowing full theft of the to be governance funds it holds but that isn t in the in the in scope list of contracts on Github and would be paid with just a mere thank you if currently disclosed (because out of scope of the code covered).
Hey @ytrezq I will have the correct person in charge of Immunefi review and update the assets and contract scope.
We would prefer you contact Immunefi and have them communicate with us as they work as a intermediary. Have you reached out to Immunefi before posting here?
You aren t participating in What Is Primacy Of Impact?. Introduction | by Immunefi | Immunefi | Medium. Participating programs on Immunefi have the rule in their Immunefi s pages along a link to the blog post.
This makes several months this proposal was enacted by Immunefi, so I suspect that all programs that chose to not modify their Immunefi pages are just thank you rewarders when it come to uncovered code. I fail to see why you wouldn t want to follow this rule if it s just for not wanting to pay for everything deployed in the case a vulnerability is found (this is of course understandable).
You can of course understand why I don t just give the name of the comtract which has it s fees that can be stolen in public. Both for me and the security of governance.
I understand that you did not want to disclose the contract. My question was have you contacted Immunefi in any manner?
I m awaiting for the situation to be clarified about your stance regarding non covered/out of scope solidity code (about whether you would follow the way of Immunefi or the way of the major players like Alphabet or Microsoft or Meta).
Creating a proof of concept as required by bounty rules will takes time I don t have and there s no point doing it if there will be no reward.
Hi we have reached out to Immunefi to expand the scope of our bug bounty program and are incorporating additional contracts. These additions mainly relate to newer products.
Based on your limited description, it seems possible that the vulnerability you’ve identified may already fall under the existing Immunefi Bug Bounty scope.
The Immunefi bug bounty covers DeFi Smart Accounts (DSA) which would include the treasury, as well as the related Governance contracts.
We strongly encourage you to submit your findings to Immunefi.