- Immunefi will determine the reward based on its Vulnerability Severity Classification System.
- Ethical hackers are rewarded for discovering and reporting bugs and vulnerabilities in applications.
- The program is the world’s highest-paid bug bounty reward, as reported smart contract vulnerabilities are awarded $250,000.
The partnership between LayerZero and Immunefi recognizes ethical hackers for their research and discovery of vulnerabilities within applications, websites, blockchains, and smart contracts. It will pay them a maximum fee of $15 million if they meet the terms and conditions laid by Immunefi.
On May 17, the cross-chain messaging protocol—LayerZero—and the popular security platform—Immunefi—both announced the launch of their program. Identified as the world’s most enormous bounty, the $15 million will be given to anyone identifying a vulnerability of the highest severity level.
The rewards will be paid according to the terms and conditions drafted on the Immunefi Vulnerability Severity Classification System, which lists a five-level scale of impacts such as none, low, medium, high, and critical.
Terms and Conditions
According to Immunefi’s official website, all bug reports submitted by bounty hunters must come with a PoC (Proof of Concept) showing an end-effect affecting the assets in consideration for a reward.
“Explanations and statements are not accepted as PoC, and code is required…exceptions may be made in situations where the vulnerability is objectively evident from simply stating the vulnerability and where it exists,” the announcement states.
LayerZero is an omnichain interoperability protocol that enables developers to interact easily with smart contracts across various blockchains.
According to the security platform, smart contract rewards are categorized into two Groups. Group 1 includes Optimism Fantom, Ethereum, Polygon, BNB Chain, Avalanche, and Arbitrum, while Group 2 consists of the other chains. Group 1 rewards paid to ethical hackers are a minimum of $250,000 or 10% of the reported assets. Whereas the reward given to Group 2 for vulnerabilities discovered is $25,000 or 10% of the asset’s value.
Additionally, Immunefi mentioned that all non-critical rewards for big bounties are calculated and distributed based on internal team criteria.
Requirements To Pay Bounty Hunters
For LayerZero to pay the bounty hunters, they must adhere to several requirements. The bounty hunters will comply with the Know-Your-Customer (KYC) standards— the hunters or ethical hackers must provide an invoice including their address, name, payment instructions, and a copy of their passport or any other government identification. They must also provide proof of speech, and lastly, they must pass the OFAC screening.
Payments of the bug bounty will be solely executed by LayerZero Labs and paid in US Dollars.
Immunefi stressed that it would not accept all bug reports into the program. The words which will not be taken into consideration are the following:
- Attacks that the hunter has exploited for themselves.
- Attacks requiring access to leaked data.
- Attacks requiring access to strict addresses.
Immunefi and LayerZero’s recent partnership offering to pay $15 million will be the most significant amount given to any bounty hunter who discovers a vulnerability of the highest severity.