Immunefi, the leading onchain, crowdsourced security platform, has paid over $100 million in bug bounty rewards to security researchers in just over three years. This milestone highlights the critical role of ethical hackers in safeguarding the burgeoning web3 ecosystem. Immunefi protects over $190 billion in user funds for established projects like Chainlink, Wormhole, MakerDAO, TheGraph, Synthetix, Polygon, and Optimism. The platform has paid out the most significant bug bounties in the software industry while saving over $25 billion in user funds. Currently, it offers over $163 million in bounty rewards, with 80% of projects finding vulnerabilities missed by code audits thanks to Immunefi's researchers.
Mitchell Amador, Founder and CEO of Immunefi, emphasized the importance of their bug bounty programs and the dedication of their community of researchers. “We work tirelessly to safeguard the onchain ecosystem, and this achievement is a testament to the effectiveness of our bug bounty programs and the dedication of our community of researchers,” said Amador. “Their work is essential in preventing substantial financial losses in web3, and we will continue to innovate and support them in safeguarding the next generation of projects and users.”
Immunefi classifies bugs on a simplified four-level scale: Critical, High, Medium, and Low. The platform covers bug report submissions across Smart Contracts, Blockchain/DLT, and Websites and Applications. Smart Contracts take the lead in paid reports, totaling $77,973,118 (77.5% of all bounties). Blockchain follows with $18,756,806.72 (18.6%), and Web and App with $3,849,014.79 (3.8%). Critical vulnerabilities account for $88,344,273 (87.8%) of all bounties paid out, followed by High severity ($7,446,570, 7.4%), Medium severity ($3,243,734, 3.2%), Low severity ($997,621.49, 1%), and Informational ($566,289.23, 0.6%).
Immunefi was the first to introduce a scaling incentive for hackers, meaning rewards grow with the severity of an exploit and the volume of funds at risk. This approach has led to a dramatic repricing of bug bounties in web3, where they have quickly become the largest in the entire software industry. The incentives to exploit projects in web3 are significantly greater than in web2 due to the capital locked in smart contracts. The ecosystem lost over $1.8 billion in 2023 and has lost $778 million in 2024 YTD, underscoring the importance of an effective and reliable incentivization system for hackers in web3.
Thanks to its bug bounty scaling standard, Immunefi has built the largest community of security talent in the crypto space, with over 45,000 researchers. Immunefi's ethical hackers and security researchers have earned as much as $10 million for a single vulnerability program reward.
In addition to bug bounty programs, Immunefi offers consultations, bug triaging, and program management services to blockchain and smart contract projects. The company recently launched Boosts, a time-bound code review program ensuring top-tier engagement from elite security researchers. With Boosts, vulnerability reports are surfaced in real-time, unlike traditional audits where a project would need to wait until an audit is concluded. Furthermore, Immunefi offers Invite-only programs powered by its proprietary data-driven security talent matching system, leveraging over 30,000 reports, thousands of vulnerabilities, and hundreds of programs to curate the best security researchers for a project's specific program.
