Bug Bounty Programs in Web3: Setup, Platforms & Best Practices for 2026
Web3 bug bounty programs have paid out over $200 million since 2020, making them the most cost-effective ongoing security investment for blockchain projects. This guide covers platform selection, reward structures, scope definition, and operational best practices from programs that actually work.
Web3 bug bounty programs are structured incentive systems where blockchain projects pay security researchers (white-hat hackers) to find and responsibly disclose vulnerabilities in their smart contracts, protocols, and infrastructure. The leading platform, Immunefi, has facilitated over $100 million in bounty payouts since its 2020 launch, with single payouts reaching as high as $10 million (Wormhole, 2022). A well-structured bug bounty program is the most cost-effective form of ongoing security for any Web3 project -- you only pay when a real vulnerability is found, and the cost is always a fraction of what an exploit would cost. For any team managing user funds on-chain, a bug bounty program is not optional; it is the final layer in a mature security stack that begins with smart contract audits and continuous monitoring.
Bug bounties solve a fundamental problem in blockchain security: audits are point-in-time assessments, but vulnerabilities can be introduced through upgrades, composability with other protocols, or changes in the broader ecosystem. A bug bounty program provides 24/7 coverage from a global army of security researchers who are financially motivated to find issues before malicious actors do.
Bug Bounty Programs in Web3: Setup, Platforms & Best Practices for 2026
Web3 bug bounty programs have paid out over $200 million since 2020, making them the most cost-effective ongoing security investment for blockchain projects. This guide covers platform selection, reward structures, scope definition, and operational best practices from programs that actually work.
Web3 bug bounty programs are structured incentive systems where blockchain projects pay security researchers (white-hat hackers) to find and responsibly disclose vulnerabilities in their smart contracts, protocols, and infrastructure. The leading platform, Immunefi, has facilitated over $100 million in bounty payouts since its 2020 launch, with single payouts reaching as high as $10 million (Wormhole, 2022). A well-structured bug bounty program is the most cost-effective form of ongoing security for any Web3 project -- you only pay when a real vulnerability is found, and the cost is always a fraction of what an exploit would cost. For any team managing user funds on-chain, a bug bounty program is not optional; it is the final layer in a mature security stack that begins with smart contract audits and continuous monitoring.
Bug bounties solve a fundamental problem in blockchain security: audits are point-in-time assessments, but vulnerabilities can be introduced through upgrades, composability with other protocols, or changes in the broader ecosystem. A bug bounty program provides 24/7 coverage from a global army of security researchers who are financially motivated to find issues before malicious actors do.
•$10M largest single bounty payout (Wormhole bridge critical vulnerability, 2022)
•$15M largest active maximum bounty (several major DeFi protocols)
•72 hours median time from submission to first response on Immunefi
•14 days median time from submission to payout for valid critical findings
These numbers reflect a maturing ecosystem where security research has become a legitimate and lucrative career path. The best Web3 security researchers earn $500,000-$2,000,000+ annually through bug bounty hunting alone.
Major Web3 Bug Bounty Platforms Compared
Immunefi: The DeFi Standard
Immunefi dominates the Web3 bug bounty space with over 80% market share by total value locked protected. Founded by Mitchell Amador in 2020, it has become the default platform for serious DeFi protocols.
Key features:
•Curated program listings with standardized severity classifications
•Proof of Concept (PoC) requirements for high/critical submissions
•Mediation services for disputed findings
•KYC/compliance support for large payouts
•Vaults program for guaranteed payout funding
Pricing for projects:
•10% fee on bounty payouts (charged to the project, not the researcher)
•Custom enterprise tiers available for large protocols
•No upfront listing fees for standard programs
Coverage: Primarily DeFi, bridges, L1/L2 chains, lending protocols. Over 350 active programs including Chainlink, Synthetix, Optimism, Polygon, and MakerDAO.
Best for: Any DeFi protocol managing >$1M TVL that wants access to the largest pool of Web3-focused security researchers.
HackerOne: Enterprise-Grade with Web3 Expansion
HackerOne is the original bug bounty platform (founded 2012) and has expanded significantly into Web3. It brings enterprise-grade tooling, compliance features, and a massive researcher community (1M+ registered hackers).
Key features:
•Established triage and mediation workflows
•ISO 27001 and SOC 2 certified platform
•Integration with enterprise security tools (Jira, Slack, PagerDuty)
•Managed triage service (HackerOne handles initial assessment)
•Extensive analytics and reporting dashboard
Pricing for projects:
•Platform fee varies by tier ($20,000-$100,000+ annually for managed programs)
•Self-managed programs available at lower cost
•Bounty payouts are additional
Coverage: Broad coverage including blockchain L1s, exchanges, custodians, and Web3 infrastructure companies. Clients include Coinbase, Crypto.com, and several major exchanges.
Best for: Larger organizations with existing security teams, exchanges, and infrastructure providers who need enterprise compliance features.
Hats Finance: Decentralized and On-Chain
Hats Finance takes a Web3-native approach with decentralized, on-chain bug bounty infrastructure.
Key features:
•Bounty vaults funded on-chain with transparent balances
•Decentralized governance for program parameters
•No KYC requirements for researchers (pseudonymous participation)
•Lower platform fees than centralized alternatives (typically 5-8%)
•Gas costs for on-chain operations
•No minimum commitment
Coverage: Growing ecosystem focused on DeFi and infrastructure protocols. Smaller researcher base than Immunefi or HackerOne but growing.
Best for: Projects that prioritize decentralization and want to offer pseudonymous participation to researchers. Good complement to an Immunefi program.
Platform Comparison Matrix
Feature
Immunefi
HackerOne
Hats Finance
Web3 focus
Primary
Secondary
Primary
Active researchers
25,000+
1,000,000+ (all sectors)
3,000+
Platform fee
10% of payouts
$20K-$100K+/year
5-8% of payouts
Max bounty supported
Unlimited
Unlimited
Limited by vault
Triage service
Yes (curated)
Yes (managed)
Community-based
On-chain payouts
Supported
Limited
Native
KYC for researchers
Optional/required for large payouts
Required
Optional
PoC requirements
Yes (high/critical)
Configurable
Yes
Mediation
Yes
Yes
Committee-based
Time to launch
1-2 weeks
2-4 weeks
Days
Best for
DeFi protocols
Enterprises/exchanges
Decentralized projects
For projects evaluating security partners more broadly, The Signal's security directory provides a comprehensive view of the available options.
Setting Up Your Bug Bounty Program: Step-by-Step
Step 1: Define Your Scope
The scope defines what researchers are allowed to test and what is eligible for rewards. A well-defined scope is the single most important element of a successful program.
In-scope assets (typical for a DeFi protocol):
Asset Type
Priority
Examples
Smart contracts (mainnet)
Critical
Core protocol contracts, governance, token
Smart contracts (testnet/staging)
High
Upcoming deployments
Protocol infrastructure
High
Oracles, keepers, relayers
Frontend/API
Medium
Web app, API endpoints
Off-chain infrastructure
Medium
Backend services, databases
Out-of-scope (standard exclusions):
•Third-party contracts not developed by your team
•Issues in forked code that are known/documented
•Theoretical vulnerabilities without a working PoC
•Social engineering attacks on team members
•DDoS or spam attacks
•Issues already reported or known
•Findings from automated scanners without manual validation
•Frontend bugs that do not lead to fund loss or data exposure
Pro tip: Start with a narrower scope (smart contracts only) and expand over time as your program matures. This prevents an initial flood of low-quality submissions on out-of-scope assets.
Step 2: Set Your Reward Structure
Reward tiers should be proportional to the impact of the vulnerability. Here is the industry-standard framework used by most Immunefi programs:
For Smart Contracts / Blockchain
Severity
Impact Description
Typical Reward Range
Critical
Direct theft/loss of user funds, permanent protocol DoS, governance takeover
$50,000 - $10,000,000+
High
Temporary freezing of funds, manipulation of financial data, economic exploits
$10,000 - $100,000
Medium
Griefing attacks, smart contract returns incorrect data, minor economic impact
$2,000 - $10,000
Low
Events not emitted, function behaves unexpectedly (no financial impact)
$500 - $2,000
For Websites / Applications
Severity
Impact Description
Typical Reward Range
Critical
XSS leading to fund theft, authentication bypass, database compromise
$5,000 - $50,000
High
Sensitive data exposure, significant privilege escalation
$2,000 - $10,000
Medium
CSRF on critical functions, information disclosure
$500 - $2,000
Low
Missing security headers, verbose errors, minor information disclosure
$100 - $500
Reward Calibration Guidelines
Your maximum bounty should be proportional to the maximum potential loss:
TVL / Assets at Risk
Recommended Max Bounty
Percentage
$1M - $10M
$50,000 - $200,000
2-5%
$10M - $100M
$200,000 - $1,000,000
1-2%
$100M - $1B
$1,000,000 - $5,000,000
0.5-1%
$1B+
$5,000,000 - $15,000,000
0.5%
Key insight: Underpaying for critical vulnerabilities is the biggest mistake programs make. If your max bounty is $10,000 but an exploit could drain $50M, rational researchers may conclude that selling the vulnerability on the black market (or exploiting it themselves) is more profitable than responsible disclosure. Your bounty needs to make honesty the economically rational choice.
Step 3: Write Your Policy Document
Every bug bounty program needs a clear, comprehensive policy document. Here are the essential sections:
•Program overview: What your protocol does, what assets are in scope
•Scope definition: Exact contract addresses, domains, and repositories in scope
•Severity classification: Clear criteria for each severity level
•Reward structure: Exact amounts or ranges per severity level
•Eligibility requirements: Who can participate (age, jurisdiction, KYC)
•Submission requirements: PoC format, expected information, communication channels
•Response timeline commitments: When researchers can expect a response
•Safe harbor language: Legal protection for good-faith research
•Exclusions: What is out of scope and what will not be rewarded
•Disclosure policy: When and how findings will be publicly disclosed
Step 4: Fund Your Bounty Vault
Credibility requires demonstrating that you can actually pay. Options include:
•Immunefi Vaults: Lock funds on-chain, proving payment capability to researchers
•Escrow accounts: Hold fiat in an escrow account with documented proof
•Treasury allocation: Public governance proposal allocating funds to security
•Insurance backstop: Some programs use DeFi insurance to guarantee payouts
Minimum recommended funding: 2x your maximum critical bounty. This ensures you can pay two simultaneous critical findings without scrambling for funds.
Step 5: Build Your Response Team
You need at least 3 people able to evaluate and respond to submissions:
Role
Responsibility
Availability Required
Security lead
Technical evaluation, severity assessment
On-call 24/7
Engineering lead
Code fix development, deployment
On-call during business hours
Operations/comms
Researcher communication, payments, reporting
Business hours
Response time targets (industry best practice):
•First acknowledgment: < 24 hours
•Severity assessment: < 72 hours
•Fix development (critical): < 7 days
•Payment processing: < 14 days after fix verification
Step 6: Launch and Promote
•Announce on Twitter/X, Discord, and your documentation
•Submit your program to Immunefi's curated listing
•Post in security researcher communities (Immunefi Discord, HackerOne forums)
•Consider a launch bonus (1.5-2x rewards for the first 30 days) to attract initial researcher attention
•Notify your existing auditors -- they often have networks of researchers
Operational Best Practices
Triage Quality Matters More Than Speed
The number one complaint from security researchers is slow or poor-quality triage. A researcher who spends days crafting a PoC and receives a dismissive "won't fix" response will never submit to your program again, and will tell other researchers.
Best practices for triage:
•Always reproduce the PoC before responding
•If you disagree with severity, explain your reasoning in detail
•If a finding is a duplicate, share the original submission date (not content)
•If a finding is out of scope, point to the specific policy section
•Thank the researcher regardless of outcome
Handle Severity Disputes Gracefully
Severity disagreements are the most common source of friction in bug bounty programs. Researchers naturally believe their findings are more severe than projects do.
Resolution framework:
•State your severity assessment with detailed technical reasoning
•Invite the researcher to provide additional PoC data supporting higher severity
•If disagreement persists, use the platform's mediation service
•Document the precedent for future reference
Maintain Transparency on Payouts
Publicly sharing (anonymized) statistics builds trust with the researcher community:
Protocols like Optimism and MakerDAO publish regular security reports that include bug bounty statistics. This transparency attracts more researchers to their programs.
Coordinate with Your Audit Strategy
Bug bounties and audits are complementary, not competing strategies. Here is how they fit together:
•Pre-launch: Comprehensive audit(s) by professional firms
In February 2022, a security researcher discovered a critical vulnerability in the Wormhole bridge that could have allowed an attacker to mint unlimited wrapped ETH on Solana. The vulnerability was reported through Immunefi, and Wormhole paid a $10 million bounty -- the largest in crypto history at the time.
Key lessons:
•The bounty was proportional to the potential loss (Wormhole held $300M+ at the time)
•The payout was processed within 24 hours of fix verification
•The researcher was publicly praised (with their consent)
•The find validated the ROI of high maximum bounties
Aurora Engine (NEAR): $6M Bounty
A researcher found a critical vulnerability in the Aurora Engine on NEAR Protocol that could have allowed draining of funds from the engine. Aurora paid $6 million through Immunefi.
Key lessons:
•Large bounties attract serious talent -- this researcher was specifically targeting high-bounty programs
•The 72-hour turnaround from submission to fix demonstrated operational readiness
•Post-incident, Aurora increased their security team and bounty scope
Polygon: $2M Bounty for Plasma Bridge Vulnerability
A researcher identified a vulnerability in Polygon's Plasma bridge that put approximately $850 million at risk. Polygon paid $2 million and also engaged the researcher for ongoing security consultation.
Key lessons:
•Converting bounty hunters into ongoing security advisors is a powerful strategy
•Bridge vulnerabilities continue to represent the highest-severity findings
•Polygon's transparent handling of the incident actually strengthened community trust
Common Mistakes to Avoid
1. Setting Maximum Bounties Too Low
If your protocol holds $100M in TVL and your max bounty is $50,000, you are signaling to researchers that you do not take security seriously. Worse, you are creating a financial incentive for researchers to exploit rather than report.
Rule of thumb: Max critical bounty should be at least 1% of assets at risk.
2. Ignoring Submissions or Responding Slowly
Nothing kills a bug bounty program faster than a reputation for ignoring researchers. In Web3 security circles, word travels fast. Programs that consistently respond slowly see submission quality drop within months.
3. Arguing About Severity to Reduce Payouts
Some programs systematically downgrade severity to pay less. This is a short-term savings strategy that destroys your program long-term. Researchers track which programs are fair and which are not. Platforms like Immunefi also track this data and may deprioritize programs with poor researcher satisfaction.
4. Not Having a Fix-and-Deploy Process
Finding a vulnerability is only half the battle. You need a tested, rehearsed process for:
•Emergency pause mechanisms (if applicable)
•Fix development and testing under time pressure
•Coordinated deployment across chains
•Post-fix verification
•Communication to users and stakeholders
5. Launching Without an Audit First
A bug bounty program should not be your first line of defense. Researchers expect that you have already done basic due diligence (professional audit, automated scanning). Programs that launch bug bounties on unaudited code get flooded with low-severity findings that should have been caught by an audit, overwhelming the triage team.
6. Failing to Update Scope After Upgrades
Every time you deploy new contracts, upgrade existing ones, or add new features, your bug bounty scope needs to be updated. Stale scopes lead to confusion about which contracts are eligible, resulting in wasted researcher effort and disputed submissions.
Legal Considerations for Bug Bounty Programs
Safe Harbor Provisions
Your bug bounty policy should include safe harbor language that protects good-faith researchers from legal action. The key elements:
•Explicit permission to test in-scope assets
•Commitment not to pursue legal action for good-faith research
•Definition of what constitutes "good faith" (no data exfiltration, no disruption of service, no accessing user data)
•Compliance with relevant regulations (CFAA in the US, Computer Misuse Act in the UK)
Tax and Payment Considerations
•Bounty payments may be taxable income for researchers (jurisdiction-dependent)
•Payments in tokens vs. stablecoins vs. fiat have different tax implications
•KYC/AML requirements vary by jurisdiction and amount
•For payments over $10,000, most platforms require identity verification
•Some jurisdictions (OFAC-sanctioned countries) may be ineligible
•Team: 3-5 person security team with 24/7 rotation
•Response SLA: 4 hours first response, 24 hours assessment
Integrating Bug Bounties with Your Broader Security Strategy
A bug bounty program is one component of a comprehensive security posture. Here is how it fits with other security investments:
Security Layer
Purpose
Cost Profile
Coverage
Automated scanning (Slither, Aderyn)
Catch known patterns
Free-$2K/mo
Continuous, limited depth
Professional audit
Deep analysis, point-in-time
$30K-$500K per engagement
Comprehensive but snapshot
Competitive audit (Code4rena)
Many eyes, time-bounded
$20K-$100K per contest
Intensive but time-limited
Bug bounty program
Ongoing researcher incentives
Variable (pay per finding)
Continuous, incentive-aligned
Runtime monitoring (Forta, OpenZeppelin Defender)
Real-time threat detection
$1K-$10K/mo
Continuous, detection-focused
Incident response plan
Minimize damage when exploited
Internal cost (team time)
Reactive
The strongest security posture combines all of these layers. Each layer catches different types of vulnerabilities at different points in the development and deployment lifecycle.
For a holistic view of the security partners available to build each layer of your security stack, explore The Signal's directory or book a free consultation to discuss your specific needs.
Frequently Asked Questions
How much does it cost to run a bug bounty program?
The direct cost depends on findings: you only pay when valid vulnerabilities are discovered. Platform fees range from 5-10% of payouts (Immunefi, Hats Finance) to $20,000-$100,000+ annually for managed programs (HackerOne). Indirect costs include team time for triage, fix development, and program management -- typically 10-20 hours per month for an active program.
What is the average bug bounty payout in Web3?
The average payout varies significantly by severity. Low-severity findings average $500-$2,000. Medium findings average $2,000-$10,000. High findings average $10,000-$50,000. Critical findings average $50,000-$200,000 but can reach millions for high-TVL protocols. The median payout across all severities on Immunefi is approximately $5,000.
How do I attract quality security researchers to my program?
Competitive and clearly communicated rewards are the primary driver. Fair and fast triage processes build reputation over time. Promoting your program on security-focused channels (Immunefi Discord, Twitter security community), offering launch bonuses (2x rewards for the first 30 days), and publishing transparent statistics all help attract serious researchers.
Can a bug bounty replace a smart contract audit?
No. Bug bounties and audits serve different purposes. An audit is a systematic, comprehensive review performed before launch. A bug bounty provides ongoing coverage after launch. Most critical vulnerabilities are found during audits, not through bug bounties. Launch without an audit and your bug bounty program will be overwhelmed with basic findings that should have been caught earlier.
What happens if a researcher exploits the vulnerability instead of reporting it?
This is the nightmare scenario that proper bounty sizing helps prevent. If your maximum bounty is economically rational relative to the potential exploit value, most researchers will choose responsible disclosure. However, there is no guarantee. This is why you also need runtime monitoring, circuit breakers (pause functions), and incident response plans as additional defensive layers.
How quickly should I respond to bug bounty submissions?
Industry best practice is first acknowledgment within 24 hours, severity assessment within 72 hours, and payout within 14 days of fix verification. For critical findings, compress all timelines: first response within 4 hours, fix development within 48-72 hours, and payout within 7 days. Slow response times directly correlate with lower program quality.
Should I require proof of concept for all submissions?
Requiring PoC for high and critical findings is standard and recommended -- it prevents theoretical or speculative submissions from consuming triage resources. For medium and low findings, a detailed description is usually sufficient. Some programs accept informal PoCs (step-by-step reproduction instructions) for medium findings and require formal coded PoCs only for high/critical.
What blockchain-specific risks should my bug bounty cover?
Beyond standard smart contract vulnerabilities (reentrancy, access control, arithmetic errors), your scope should explicitly address: MEV exploitation, flash loan attack vectors, oracle manipulation, governance attack scenarios, cross-chain message relay vulnerabilities (if applicable), token approval exploits, and economic/game-theoretic attacks that may not involve code bugs but exploit mechanism design flaws.
•$10M largest single bounty payout (Wormhole bridge critical vulnerability, 2022)
•$15M largest active maximum bounty (several major DeFi protocols)
•72 hours median time from submission to first response on Immunefi
•14 days median time from submission to payout for valid critical findings
These numbers reflect a maturing ecosystem where security research has become a legitimate and lucrative career path. The best Web3 security researchers earn $500,000-$2,000,000+ annually through bug bounty hunting alone.
Major Web3 Bug Bounty Platforms Compared
Immunefi: The DeFi Standard
Immunefi dominates the Web3 bug bounty space with over 80% market share by total value locked protected. Founded by Mitchell Amador in 2020, it has become the default platform for serious DeFi protocols.
Key features:
•Curated program listings with standardized severity classifications
•Proof of Concept (PoC) requirements for high/critical submissions
•Mediation services for disputed findings
•KYC/compliance support for large payouts
•Vaults program for guaranteed payout funding
Pricing for projects:
•10% fee on bounty payouts (charged to the project, not the researcher)
•Custom enterprise tiers available for large protocols
•No upfront listing fees for standard programs
Coverage: Primarily DeFi, bridges, L1/L2 chains, lending protocols. Over 350 active programs including Chainlink, Synthetix, Optimism, Polygon, and MakerDAO.
Best for: Any DeFi protocol managing >$1M TVL that wants access to the largest pool of Web3-focused security researchers.
HackerOne: Enterprise-Grade with Web3 Expansion
HackerOne is the original bug bounty platform (founded 2012) and has expanded significantly into Web3. It brings enterprise-grade tooling, compliance features, and a massive researcher community (1M+ registered hackers).
Key features:
•Established triage and mediation workflows
•ISO 27001 and SOC 2 certified platform
•Integration with enterprise security tools (Jira, Slack, PagerDuty)
•Managed triage service (HackerOne handles initial assessment)
•Extensive analytics and reporting dashboard
Pricing for projects:
•Platform fee varies by tier ($20,000-$100,000+ annually for managed programs)
•Self-managed programs available at lower cost
•Bounty payouts are additional
Coverage: Broad coverage including blockchain L1s, exchanges, custodians, and Web3 infrastructure companies. Clients include Coinbase, Crypto.com, and several major exchanges.
Best for: Larger organizations with existing security teams, exchanges, and infrastructure providers who need enterprise compliance features.
Hats Finance: Decentralized and On-Chain
Hats Finance takes a Web3-native approach with decentralized, on-chain bug bounty infrastructure.
Key features:
•Bounty vaults funded on-chain with transparent balances
•Decentralized governance for program parameters
•No KYC requirements for researchers (pseudonymous participation)
•Lower platform fees than centralized alternatives (typically 5-8%)
•Gas costs for on-chain operations
•No minimum commitment
Coverage: Growing ecosystem focused on DeFi and infrastructure protocols. Smaller researcher base than Immunefi or HackerOne but growing.
Best for: Projects that prioritize decentralization and want to offer pseudonymous participation to researchers. Good complement to an Immunefi program.
Platform Comparison Matrix
Feature
Immunefi
HackerOne
Hats Finance
Web3 focus
Primary
Secondary
Primary
Active researchers
25,000+
1,000,000+ (all sectors)
3,000+
Platform fee
10% of payouts
$20K-$100K+/year
5-8% of payouts
Max bounty supported
Unlimited
Unlimited
Limited by vault
Triage service
Yes (curated)
Yes (managed)
Community-based
On-chain payouts
Supported
Limited
Native
KYC for researchers
Optional/required for large payouts
Required
Optional
PoC requirements
Yes (high/critical)
Configurable
Yes
Mediation
Yes
Yes
Committee-based
Time to launch
1-2 weeks
2-4 weeks
Days
Best for
DeFi protocols
Enterprises/exchanges
Decentralized projects
For projects evaluating security partners more broadly, The Signal's security directory provides a comprehensive view of the available options.
Setting Up Your Bug Bounty Program: Step-by-Step
Step 1: Define Your Scope
The scope defines what researchers are allowed to test and what is eligible for rewards. A well-defined scope is the single most important element of a successful program.
In-scope assets (typical for a DeFi protocol):
Asset Type
Priority
Examples
Smart contracts (mainnet)
Critical
Core protocol contracts, governance, token
Smart contracts (testnet/staging)
High
Upcoming deployments
Protocol infrastructure
High
Oracles, keepers, relayers
Frontend/API
Medium
Web app, API endpoints
Off-chain infrastructure
Medium
Backend services, databases
Out-of-scope (standard exclusions):
•Third-party contracts not developed by your team
•Issues in forked code that are known/documented
•Theoretical vulnerabilities without a working PoC
•Social engineering attacks on team members
•DDoS or spam attacks
•Issues already reported or known
•Findings from automated scanners without manual validation
•Frontend bugs that do not lead to fund loss or data exposure
Pro tip: Start with a narrower scope (smart contracts only) and expand over time as your program matures. This prevents an initial flood of low-quality submissions on out-of-scope assets.
Step 2: Set Your Reward Structure
Reward tiers should be proportional to the impact of the vulnerability. Here is the industry-standard framework used by most Immunefi programs:
For Smart Contracts / Blockchain
Severity
Impact Description
Typical Reward Range
Critical
Direct theft/loss of user funds, permanent protocol DoS, governance takeover
$50,000 - $10,000,000+
High
Temporary freezing of funds, manipulation of financial data, economic exploits
$10,000 - $100,000
Medium
Griefing attacks, smart contract returns incorrect data, minor economic impact
$2,000 - $10,000
Low
Events not emitted, function behaves unexpectedly (no financial impact)
$500 - $2,000
For Websites / Applications
Severity
Impact Description
Typical Reward Range
Critical
XSS leading to fund theft, authentication bypass, database compromise
$5,000 - $50,000
High
Sensitive data exposure, significant privilege escalation
$2,000 - $10,000
Medium
CSRF on critical functions, information disclosure
$500 - $2,000
Low
Missing security headers, verbose errors, minor information disclosure
$100 - $500
Reward Calibration Guidelines
Your maximum bounty should be proportional to the maximum potential loss:
TVL / Assets at Risk
Recommended Max Bounty
Percentage
$1M - $10M
$50,000 - $200,000
2-5%
$10M - $100M
$200,000 - $1,000,000
1-2%
$100M - $1B
$1,000,000 - $5,000,000
0.5-1%
$1B+
$5,000,000 - $15,000,000
0.5%
Key insight: Underpaying for critical vulnerabilities is the biggest mistake programs make. If your max bounty is $10,000 but an exploit could drain $50M, rational researchers may conclude that selling the vulnerability on the black market (or exploiting it themselves) is more profitable than responsible disclosure. Your bounty needs to make honesty the economically rational choice.
Step 3: Write Your Policy Document
Every bug bounty program needs a clear, comprehensive policy document. Here are the essential sections:
•Program overview: What your protocol does, what assets are in scope
•Scope definition: Exact contract addresses, domains, and repositories in scope
•Severity classification: Clear criteria for each severity level
•Reward structure: Exact amounts or ranges per severity level
•Eligibility requirements: Who can participate (age, jurisdiction, KYC)
•Submission requirements: PoC format, expected information, communication channels
•Response timeline commitments: When researchers can expect a response
•Safe harbor language: Legal protection for good-faith research
•Exclusions: What is out of scope and what will not be rewarded
•Disclosure policy: When and how findings will be publicly disclosed
Step 4: Fund Your Bounty Vault
Credibility requires demonstrating that you can actually pay. Options include:
•Immunefi Vaults: Lock funds on-chain, proving payment capability to researchers
•Escrow accounts: Hold fiat in an escrow account with documented proof
•Treasury allocation: Public governance proposal allocating funds to security
•Insurance backstop: Some programs use DeFi insurance to guarantee payouts
Minimum recommended funding: 2x your maximum critical bounty. This ensures you can pay two simultaneous critical findings without scrambling for funds.
Step 5: Build Your Response Team
You need at least 3 people able to evaluate and respond to submissions:
Role
Responsibility
Availability Required
Security lead
Technical evaluation, severity assessment
On-call 24/7
Engineering lead
Code fix development, deployment
On-call during business hours
Operations/comms
Researcher communication, payments, reporting
Business hours
Response time targets (industry best practice):
•First acknowledgment: < 24 hours
•Severity assessment: < 72 hours
•Fix development (critical): < 7 days
•Payment processing: < 14 days after fix verification
Step 6: Launch and Promote
•Announce on Twitter/X, Discord, and your documentation
•Submit your program to Immunefi's curated listing
•Post in security researcher communities (Immunefi Discord, HackerOne forums)
•Consider a launch bonus (1.5-2x rewards for the first 30 days) to attract initial researcher attention
•Notify your existing auditors -- they often have networks of researchers
Operational Best Practices
Triage Quality Matters More Than Speed
The number one complaint from security researchers is slow or poor-quality triage. A researcher who spends days crafting a PoC and receives a dismissive "won't fix" response will never submit to your program again, and will tell other researchers.
Best practices for triage:
•Always reproduce the PoC before responding
•If you disagree with severity, explain your reasoning in detail
•If a finding is a duplicate, share the original submission date (not content)
•If a finding is out of scope, point to the specific policy section
•Thank the researcher regardless of outcome
Handle Severity Disputes Gracefully
Severity disagreements are the most common source of friction in bug bounty programs. Researchers naturally believe their findings are more severe than projects do.
Resolution framework:
•State your severity assessment with detailed technical reasoning
•Invite the researcher to provide additional PoC data supporting higher severity
•If disagreement persists, use the platform's mediation service
•Document the precedent for future reference
Maintain Transparency on Payouts
Publicly sharing (anonymized) statistics builds trust with the researcher community:
Protocols like Optimism and MakerDAO publish regular security reports that include bug bounty statistics. This transparency attracts more researchers to their programs.
Coordinate with Your Audit Strategy
Bug bounties and audits are complementary, not competing strategies. Here is how they fit together:
•Pre-launch: Comprehensive audit(s) by professional firms
In February 2022, a security researcher discovered a critical vulnerability in the Wormhole bridge that could have allowed an attacker to mint unlimited wrapped ETH on Solana. The vulnerability was reported through Immunefi, and Wormhole paid a $10 million bounty -- the largest in crypto history at the time.
Key lessons:
•The bounty was proportional to the potential loss (Wormhole held $300M+ at the time)
•The payout was processed within 24 hours of fix verification
•The researcher was publicly praised (with their consent)
•The find validated the ROI of high maximum bounties
Aurora Engine (NEAR): $6M Bounty
A researcher found a critical vulnerability in the Aurora Engine on NEAR Protocol that could have allowed draining of funds from the engine. Aurora paid $6 million through Immunefi.
Key lessons:
•Large bounties attract serious talent -- this researcher was specifically targeting high-bounty programs
•The 72-hour turnaround from submission to fix demonstrated operational readiness
•Post-incident, Aurora increased their security team and bounty scope
Polygon: $2M Bounty for Plasma Bridge Vulnerability
A researcher identified a vulnerability in Polygon's Plasma bridge that put approximately $850 million at risk. Polygon paid $2 million and also engaged the researcher for ongoing security consultation.
Key lessons:
•Converting bounty hunters into ongoing security advisors is a powerful strategy
•Bridge vulnerabilities continue to represent the highest-severity findings
•Polygon's transparent handling of the incident actually strengthened community trust
Common Mistakes to Avoid
1. Setting Maximum Bounties Too Low
If your protocol holds $100M in TVL and your max bounty is $50,000, you are signaling to researchers that you do not take security seriously. Worse, you are creating a financial incentive for researchers to exploit rather than report.
Rule of thumb: Max critical bounty should be at least 1% of assets at risk.
2. Ignoring Submissions or Responding Slowly
Nothing kills a bug bounty program faster than a reputation for ignoring researchers. In Web3 security circles, word travels fast. Programs that consistently respond slowly see submission quality drop within months.
3. Arguing About Severity to Reduce Payouts
Some programs systematically downgrade severity to pay less. This is a short-term savings strategy that destroys your program long-term. Researchers track which programs are fair and which are not. Platforms like Immunefi also track this data and may deprioritize programs with poor researcher satisfaction.
4. Not Having a Fix-and-Deploy Process
Finding a vulnerability is only half the battle. You need a tested, rehearsed process for:
•Emergency pause mechanisms (if applicable)
•Fix development and testing under time pressure
•Coordinated deployment across chains
•Post-fix verification
•Communication to users and stakeholders
5. Launching Without an Audit First
A bug bounty program should not be your first line of defense. Researchers expect that you have already done basic due diligence (professional audit, automated scanning). Programs that launch bug bounties on unaudited code get flooded with low-severity findings that should have been caught by an audit, overwhelming the triage team.
6. Failing to Update Scope After Upgrades
Every time you deploy new contracts, upgrade existing ones, or add new features, your bug bounty scope needs to be updated. Stale scopes lead to confusion about which contracts are eligible, resulting in wasted researcher effort and disputed submissions.
Legal Considerations for Bug Bounty Programs
Safe Harbor Provisions
Your bug bounty policy should include safe harbor language that protects good-faith researchers from legal action. The key elements:
•Explicit permission to test in-scope assets
•Commitment not to pursue legal action for good-faith research
•Definition of what constitutes "good faith" (no data exfiltration, no disruption of service, no accessing user data)
•Compliance with relevant regulations (CFAA in the US, Computer Misuse Act in the UK)
Tax and Payment Considerations
•Bounty payments may be taxable income for researchers (jurisdiction-dependent)
•Payments in tokens vs. stablecoins vs. fiat have different tax implications
•KYC/AML requirements vary by jurisdiction and amount
•For payments over $10,000, most platforms require identity verification
•Some jurisdictions (OFAC-sanctioned countries) may be ineligible
•Team: 3-5 person security team with 24/7 rotation
•Response SLA: 4 hours first response, 24 hours assessment
Integrating Bug Bounties with Your Broader Security Strategy
A bug bounty program is one component of a comprehensive security posture. Here is how it fits with other security investments:
Security Layer
Purpose
Cost Profile
Coverage
Automated scanning (Slither, Aderyn)
Catch known patterns
Free-$2K/mo
Continuous, limited depth
Professional audit
Deep analysis, point-in-time
$30K-$500K per engagement
Comprehensive but snapshot
Competitive audit (Code4rena)
Many eyes, time-bounded
$20K-$100K per contest
Intensive but time-limited
Bug bounty program
Ongoing researcher incentives
Variable (pay per finding)
Continuous, incentive-aligned
Runtime monitoring (Forta, OpenZeppelin Defender)
Real-time threat detection
$1K-$10K/mo
Continuous, detection-focused
Incident response plan
Minimize damage when exploited
Internal cost (team time)
Reactive
The strongest security posture combines all of these layers. Each layer catches different types of vulnerabilities at different points in the development and deployment lifecycle.
For a holistic view of the security partners available to build each layer of your security stack, explore The Signal's directory or book a free consultation to discuss your specific needs.
Frequently Asked Questions
How much does it cost to run a bug bounty program?
The direct cost depends on findings: you only pay when valid vulnerabilities are discovered. Platform fees range from 5-10% of payouts (Immunefi, Hats Finance) to $20,000-$100,000+ annually for managed programs (HackerOne). Indirect costs include team time for triage, fix development, and program management -- typically 10-20 hours per month for an active program.
What is the average bug bounty payout in Web3?
The average payout varies significantly by severity. Low-severity findings average $500-$2,000. Medium findings average $2,000-$10,000. High findings average $10,000-$50,000. Critical findings average $50,000-$200,000 but can reach millions for high-TVL protocols. The median payout across all severities on Immunefi is approximately $5,000.
How do I attract quality security researchers to my program?
Competitive and clearly communicated rewards are the primary driver. Fair and fast triage processes build reputation over time. Promoting your program on security-focused channels (Immunefi Discord, Twitter security community), offering launch bonuses (2x rewards for the first 30 days), and publishing transparent statistics all help attract serious researchers.
Can a bug bounty replace a smart contract audit?
No. Bug bounties and audits serve different purposes. An audit is a systematic, comprehensive review performed before launch. A bug bounty provides ongoing coverage after launch. Most critical vulnerabilities are found during audits, not through bug bounties. Launch without an audit and your bug bounty program will be overwhelmed with basic findings that should have been caught earlier.
What happens if a researcher exploits the vulnerability instead of reporting it?
This is the nightmare scenario that proper bounty sizing helps prevent. If your maximum bounty is economically rational relative to the potential exploit value, most researchers will choose responsible disclosure. However, there is no guarantee. This is why you also need runtime monitoring, circuit breakers (pause functions), and incident response plans as additional defensive layers.
How quickly should I respond to bug bounty submissions?
Industry best practice is first acknowledgment within 24 hours, severity assessment within 72 hours, and payout within 14 days of fix verification. For critical findings, compress all timelines: first response within 4 hours, fix development within 48-72 hours, and payout within 7 days. Slow response times directly correlate with lower program quality.
Should I require proof of concept for all submissions?
Requiring PoC for high and critical findings is standard and recommended -- it prevents theoretical or speculative submissions from consuming triage resources. For medium and low findings, a detailed description is usually sufficient. Some programs accept informal PoCs (step-by-step reproduction instructions) for medium findings and require formal coded PoCs only for high/critical.
What blockchain-specific risks should my bug bounty cover?
Beyond standard smart contract vulnerabilities (reentrancy, access control, arithmetic errors), your scope should explicitly address: MEV exploitation, flash loan attack vectors, oracle manipulation, governance attack scenarios, cross-chain message relay vulnerabilities (if applicable), token approval exploits, and economic/game-theoretic attacks that may not involve code bugs but exploit mechanism design flaws.
