Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 28 - tim
0 Plays2 seconds ago
riptide & tim discuss competitions at immunefi, conditional pots, making the game fair, backroom dealing and shift protocols, why SRs should participate, proxy negotiation, and much, much, more ...
Recommended![Episode 19 - 0xe4669da [SPECIAL n00b EDITION] image](https://media.zencastr.com/cdn-cgi/image/width=112,quality=85/image-files/677fcded3f04b4e1c3f96cfc/1b4f61b7-5c8c-48b2-9d61-66ec9549c632.png)
Transcript
Introduction to Bounty Hunters and Sponsors
00:00:06
riptide
Life on the bliggity-bliggity blockchain. Welcome back to Bounty Hunters. We have an extra special episode, but as always, we are brought to you by ImmuneFi, the biggest bug bounty platform in Web3.
00:00:22
riptide
If you're a white hat, I love this. I just love this ad. This is where you can earn real money and make crypto safer. Don't know where to start? Guess what? Hit the feeling lucky button and let the hunt choose you.
00:00:35
riptide
Hell yeah. Oh yeah. Also sponsored by rare skills, rare skills.io forward slash riptide get 10% off a bootcamp. They offer all kinds of great skills to level up the bug bounty hunting knowledge and the path.
00:00:52
riptide
So do
Guest Introduction: Tim from ImmuneFi
00:00:53
riptide
that. And we have our guest today, which is Mr. Tim from immune fi. Welcome. Welcome.
00:01:01
Tim
Hello, hello. I love that intro. Honestly gives me chills.
00:01:05
riptide
It's so awesome.
00:01:05
Tim
I don't know.
00:01:05
riptide
I love it.
00:01:06
Tim
It's so good. Yeah. Hello, everyone. Nice to be here. Thank you so much for having me.
00:01:11
Tim
That's, uh...
00:01:11
riptide
Tim, what's your job at ImmuneFi?
00:01:14
riptide
So people want to know who is this guy?
00:01:17
Tim
Of course. Is it, like, the third mini fight you're having here, right? So, like, was Adrian first, then Mackenzie, who's, like, a total mystery, and then me, right?
00:01:20
riptide
I know. I know.
00:01:27
riptide
Maybe I'm biased because I started off at ImmuneFi.
00:01:28
Tim
Uh, okay. Okay.
00:01:30
riptide
I don't know.
00:01:31
Tim
I don't know.
00:01:31
riptide
Or it's all...
00:01:32
Tim
i don't I'll let your listeners judge.
00:01:33
riptide
Yeah, yeah, yeah. So tell us, what what do you what do you do there, Tim?
00:01:37
Tim
Sure. So currently I'm occupying a role called Hacker Program Operations. um And in a nutshell, I'm responsible for audit competitions in the first place and then audits in the second place for anyone wondering, yes, Immunify is also doing audits, but we're mostly known, I guess, for audit competition, well, back bounties first and then audit competitions. So observing them, overseeing them,
00:02:01
Tim
Yeah, that's the the main occupation right now. And a bunch of other things, of course.
00:02:06
riptide
Of course, of course.
00:02:07
Tim
Of course, yeah.
00:02:07
riptide
Okay, excellent.
Audit Competitions and Market Dynamics
00:02:08
riptide
And this is continuing ah the ah Bounty Hunters ah contest arc that we're doing ever since ah we got gypped from yeah one of the big players, we'll just say.
00:02:23
riptide
ah
00:02:23
Tim
Yeah.
00:02:24
riptide
it's It's also short for an explosive i used to use in the army, a letter and a number. ah So I wanted to kind of talk to the other platforms and and see how everyone else is doing these audit competitions.
00:02:39
riptide
And because i don't think they're done that well, to be honest, in my experience and a lot of other guys' experience, as you guys know. So we had Patrick ah from Cypherin and CodeHawks on and he was telling us his point of view. and And to be honest, you know CodeHawks sounds like a really cool platform.
00:02:57
riptide
um It just doesn't sound like it's got any real traction yet. Like I'm looking at Daily Warden, shout shout out to Alex, who creates all these cool tools, man.
00:03:07
Tim
Shout out to Alex indeed. Yeah. Thank you, man.
00:03:11
riptide
So I see um the the platform that will not be named has one.
00:03:11
Tim
yeah
00:03:16
riptide
Immunefy, you guys have four going on. Cantina with one, Hack and Proof with one, and Sherlock with one. I don't even, I don't know.
00:03:28
riptide
This is not looking good for CodeHawks.
00:03:28
Tim
can you Can you remember can you remember like this exact number of competitions like distributed in this way? like When this was last time ever? like i i usually when When I open Daily Warden, I see Sherlock having three, Hacking Heaven, 10, whatever, with their dual defense model.
00:03:50
Tim
Continua, of course, and then us somewhere in the back.
00:03:53
riptide
Mm.
00:03:54
Tim
But now tables turn. mean... i mean
00:03:57
riptide
Yeah, this is good.
00:03:59
Tim
The market is definitely crazy, i'd say, for audit competitions. I mean, it's it's definitely more challenging, right? It's all about, like, I guess what we're going to talk about in the next hour, it's like the balance, right? the The right mix of everything that makes an ideal audit competition. Is there an even an ideal audit competition these days?
00:04:19
Tim
I don't think so, right?
00:04:20
riptide
i think so. I mean, I have my ideals as a bug hunter. I would want to be incentivized enough to compete.
00:04:27
Tim
Right, right.
00:04:27
riptide
And I want to make sure that I'm going to be rewarded if I find something meaningful. Not if I find crap and I just, yeah.
00:04:33
Tim
Without escalation wars, right?
00:04:35
riptide
Yeah.
00:04:35
Tim
Without escalation wars.
00:04:36
riptide
Who wants to wait? Who wants to deal with all that bullshit?
00:04:37
Tim
Yeah.
00:04:39
riptide
That's the ideal comp.
00:04:39
Tim
Of course course, of course, of course. Like, in in my opinion, I agree with you. Like, ideal comp... Honestly, if if I'm, you know, sharing a bit of a history here, our ah first competition, which, if I'm not mistaken, this was with ZeroLand.
Audit Models and Security Challenges
00:04:56
Tim
um Yeah, the the the big one. Yeah, the big one was with ZeroLand. And those guys, they were just like... hey, let's do a big competition and you know we're just happy to pay out everything. And we're like, yeah, you are you going to have like this budget or that budget? they like They're like, and we don't care.
00:05:15
Tim
but just We just want security. We want our code to be reviewed. And this was probably, might mean this was probably the best competition back in there that we did.
00:05:23
riptide
That is awesome.
00:05:25
Tim
Yeah, and I honestly wish if we can have more than that, because unfortunately, e some clients, and i guess this is, you know, this is not common for only Minify, but for everyone who's doing competitions these days is that everyone is trying to play it safe, right? Everyone is trying to cut their costs.
00:05:47
Tim
And this results in conditionals, this results in, you know, only criticals to be found, which I really hate, hate to be honest. I don't think that model is ideal for the but community.
00:05:57
riptide
Why not?
00:05:58
Tim
yeah Yeah.
00:05:59
riptide
Why not? Why isn't that ideal?
00:06:02
Tim
um In my opinion, at least this is how I perceive audit competitions from my seat, is that audit competitions are a great spot for newcomers. Like if you trying to get into Web3 bug hunting, it's much, much simpler to find something in an audit competition and get paid rather than in a bug bounty.
00:06:24
Tim
At least this was a rule Immunify. this site this This is like my personal point of view because you have insights, you have those low severity bugs, which are much simpler to find. You are allowed to make mistakes, aka duplicate payouts, which is also great.
00:06:40
riptide
Mm-hmm.
00:06:41
Tim
that that That thing you will not get in back bounties. And when projects go like, well, we only care about criticals. I fully understand it from project side of view. Of course.
00:06:51
Tim
Of course you do. Then, you know, what else what else do you want to know except for, you know, drainage of funds? But then...
00:07:00
Tim
you still You still have to like look at the whole spectrum of security, in my opinion. You still have like to support, even even support the community. I know it's it's strange to say that, but I think all those small guys who are starting to bug hunt and they only found like a lower medium at the beginning, maybe in your second competition, they'll be the ones who'll find ah that devastating crit just knowing your code base.
00:07:23
Tim
I don't know. am i Am I being too far from from the reality here? I guess that's my ideal point of view, right? Yeah.
00:07:29
riptide
Yeah, I try to look at it from both sides. Like if I'm the hunter and the project, I don't think there should be charity.
00:07:31
Tim
Of course.
00:07:35
riptide
I think that if I'm a project and I say I only want highs and crits, and I've um heard this from many projects when I do security reviews, I think that's the impactful thing they worry about.
00:07:36
Tim
Of course.
00:07:45
riptide
If they only want to pay for that, fine.
00:07:45
Tim
Yep.
00:07:47
riptide
Stay it up front. Those the rules. Great. And if ImmuneFi wants to help new guys, you know, keep that pipeline going, then ImmuneFi say, hey, look, we'll chip in five grand for a low info pot.
00:08:00
riptide
Okay, cool.
00:08:00
Tim
Yeah. For example.
00:08:01
riptide
You know, now we have a better solution, but I think the client shouldn't subsidize guys that aren't going to submit anything meaningful.
00:08:01
Tim
Yep.
00:08:07
Tim
Of course, of course, 100%, 100%.
Competition Structures and Fairness
00:08:10
Tim
But let's talk, I mean, let's talk about conditionals, right? So basically conditionals is the thing that we're talking here about. Like the clients chipping out the, you know, the low and mediums and everything that's that's not important and then giving priority to high-end criticals.
00:08:25
Tim
Like I think you remember the whole war going on in X a few months ago about conditionals, right? Where everyone was like, competitions are dead because of conditional pools.
00:08:32
riptide
Mm-hmm. Yep.
00:08:38
Tim
Like that was that was everywhere.
00:08:39
riptide
yeah
00:08:41
Tim
And it actually helped us a bit to change the narrative towards flat reward pools, which I'm a big fan of, to be honest. I think that a flat reward pool is the best option for everyone because in any case, the ROI is higher for you if you're a project and there are a few crits found.
00:08:59
Tim
That's definitely better than a BBP, 100%. hundred percent And ah ROI for the community is also great. You know that... that amount will be paid out a hundred percent and incentivizes everyone to hunt.
00:09:12
Tim
Like if, if I wish for a perfect market, I guess, you know, flat rewards everywhere. Everyone knows the right guarantees and they're hunting. I know, i know I'm, I'm an optimist.
00:09:23
Tim
Yeah.
00:09:23
riptide
No, no, they're good.
00:09:24
Tim
I'm yeah
00:09:25
riptide
i think I think the flat pool is the best. I think everyone agrees on that. I think conditionals could be good, except they've ruined it through greed. Because if you have a conditional in theory on paper, okay, 100 grand, a million bucks, it's going to open up if you hit a high or crit.
00:09:33
Tim
yeah.
00:09:40
riptide
And these guys will find one. And then they do those backroom dealings to just push it down any way they can.
00:09:44
Tim
Yeah.
00:09:47
riptide
and they screw you. And they just, they have more power than you. So they just say, okay, we'll just keep quiet. And the guys will just move on. And the Twitter news cycle continues.
00:09:58
Tim
Yeah. Yeah.
00:09:59
riptide
that's bra I think they could be good, man.
00:09:59
Tim
It's,
00:10:01
riptide
Conditionals could be really incentivizing for people if you knew they were going to play fair. Like, I'm not against conditionals. Only if they're played fair, they could work.
00:10:11
Tim
Yeah, yeah, 100%, 100%. I mean, it's all boils down to, you know, basically judging an escalation. Where it's like, how much power does that, you know backroom discussions have over the actual validity of the bug, right?
00:10:28
riptide
Right, right.
00:10:28
Tim
Because ah we are ah we we were in these situations a few times. Like, I think at this point of time, I can definitely can definitely talk about this.
Case Study: Spectre Finance Audit Issues
00:10:40
Tim
um one One good case, ah well, spectra we can talk about Spectre case, which is like a whole different thing and like what shouldn't be done in an order competition.
00:10:50
riptide
I think I recall that one.
00:10:50
Tim
You probably heard about that.
00:10:51
riptide
Yeah. Can you put it out there?
00:10:52
Tim
Yeah. Yeah.
00:10:52
riptide
It used to be AP wine, right? The guys that rebranded.
00:10:56
Tim
e I think so, yeah. And then they became Spectra Finance.
00:10:59
Tim
So basically, yeah, those guys joined us for an audit competition with a flat pool. And they had a solid code base, like no you know ah no excuses there. They were only lows and mediums found, if I'm not mistaken, or maybe lows and insights. So, you know, valid bugs, but not very impactful.
00:10:59
riptide
Yeah.
00:11:17
Tim
But flat reward pool, what can you do? And basically what those guys did is that they they start started, you know, trying loopholes and going like, oh, We didn't really agree to a flat pool. We didn't really want to pay for this, et cetera, et cetera. And I would be totally fine with that if that was a conditional, you know, but it wasn't.
00:11:36
Tim
And there was contract, everything was in place. And it all resulted in this huge noise in X that, you know, both of us created. Because we had to release a statement at some point saying like, hey, this is the situation.
00:11:48
Tim
This is what's going on. This is how Spectre Finance is behaving. And those guys, they were like, they were restless. Like after basically spilling out all the truth and saying like, hey, this is what we have in the contract. This is like what happened, what will happen.
00:12:02
Tim
They still went back, even in the comments section of that you know statement in X and still argued with us.
00:12:08
riptide
Mm-hmm. Mm-hmm.
00:12:08
Tim
And what I love about community is that they they just ripped them apart. I was reading those comments, how like some people overreacted, of course, but like some people writing such things in response to Spectra. I'm like, thank you guys for supporting us.
00:12:25
Tim
As a result, we we had to pay out the and whole reward pot of 40k on behalf of Spectra. And I remember that that this was, you know, a tough discussion internally, but ultimately, you know, the argument was like, hey, um this this is, you know, this is our brand image. And even though Spectre is misbehaving, we cannot just tell everyone that, you know, you won't get anything.
00:12:49
Tim
That would be terrible. So we decided to to do, to you know, to compensate everyone. But since then, we did our homework, of course. Since then... We implemented some mechanism which doesn't allow ah projects to behave in that way anymore.
00:13:05
Tim
Thank God.
00:13:05
riptide
Do you, that, that was a really cool move. And I think that's, that's, that just shows what, what a really cool platform you guys are when, when you act like that. Was this, so I imagine, let me ask you this.
00:13:15
Tim
it was tough internally, man. It was tough. Yeah.
00:13:19
riptide
When you guys say, all right, we're going to host an audit competition and say there's, and, and I'm talking about right now, like, how would you do it? If it was 50 grand flat pool, do you get that deposit upfront from the client?
00:13:32
riptide
So you have custody of it or you wait?
00:13:35
Tim
ideally yes yeah like some clients uh they transfer those uh immediately so before the competition starts we just go like hey uh the rules are simple you give us everything in cases nothing is found we we pay you back of course the very same day if not that simple we just distribute this on your behalf but some goes you know
00:13:55
riptide
Mm-hmm. Mm-hmm.
00:13:59
Tim
they they usually protect themselves with the legal paperwork saying like, hey it's not so simple from our side. How can we justify it that we're just paying this to you in advance?
00:14:11
Tim
And how is that? So some some people, you know, they they don't want to do it, which then results in them having leverage at some point and and because they're holding the funds. Right.
00:14:23
Tim
And ideally, I think there should be some kind of a mechanism. Again, my ideal world is that whenever an audit competition is signed on our site, we just have, the you know, all the funds.
00:14:35
Tim
Yeah. And we have control over them.
00:14:36
riptide
Mm-hmm.
00:14:38
Tim
um We return them if needed. If not, you know, that's that's being distributed. Right now, it's I think white ads can notice security researchers can notice that um certain competitions that we are hosting are smoother than others.
00:14:57
Tim
For example, the ones with Alchemix and Folks Finance, which are running at the moment. I can tell you for sure those are going to be you know as smooth as a butter. I know those guys that they love doing business with us.
00:15:10
Tim
It's going to be smooth.
00:15:11
riptide
Okay.
00:15:12
Tim
And then the rest, I'm like... Okay, not that I'm saying don't hunt on them, but you know they're that they're new they're new to Amunify. some Sometimes you you just don't know what to expect, I guess.
00:15:24
Tim
But yeah, that's like the TLDR of it, I guess.
Strategies and Market Positioning for ImmuneFi
00:15:29
riptide
And how how are you guys competing in this market?
00:15:29
Tim
Yeah.
00:15:32
riptide
Like how how do you guys have four four comps going at once?
00:15:34
Tim
Oh man.
00:15:36
riptide
Are you competing by price, ah the amount of high quality SRs, you your brand? Like what do you think is setting you guys apart?
00:15:46
Tim
that's ah That's a wonderful question. Truly. i think... So let's be honest, right? and we're not We're not hiding anything here. If you would open Daily Warden, I don't know, two months ago, you remember that we had nothing.
00:15:59
Tim
yeah that what there was There was a period where Midify was hosting zero competitions. I was really stressed out back in the day. So I was like, what's going on? Haken was killing it with a dual defense model. Yeah.
00:16:11
Tim
Cantina was killing it.
00:16:11
riptide
What is that model? I'm not familiar with that.
00:16:14
Tim
Oh, you're not familiar. So ah basically, Haken, they are converting most of their audit deals into a small competition, which is partially subsidized by the audit fee.
00:16:30
Tim
that the clients are paying and then partially the clients are tipping it off with you know some budget.
00:16:30
riptide
and
00:16:37
Tim
They usually very, very, oh, and they're also like using their HAI token to to make it even better.
00:16:43
riptide
okay
00:16:43
Tim
But in most cases, those are like very, very small competitions, like up to 20K, maybe up to twenty five And if you open up actually there the history of those competitions, if I'm not mistaken, maybe the situation changed today.
00:16:57
Tim
Only two of them ever paid out bounty to security researchers out of like 30 or something.
00:17:05
riptide
Really?
00:17:06
Tim
Yeah.
00:17:07
riptide
Well, that's not good.
00:17:07
Tim
Yeah.
00:17:08
riptide
Okay.
00:17:09
Tim
that is ah That is that topic of like only critical is in scope that we started this podcast with that they have in most cases, which is like
00:17:13
riptide
Okay.
00:17:20
Tim
You know, there is a difference between having critical scope and having a critical scope, but I'll explain myself. You know, you can you can shape it in a way where like, well, if you if you drain funds from this contract, yeah, we're going to pay out to you.
00:17:32
Tim
And then you can say, well, since we're like a validator, you should like take over 50% of our nodes to get a critical. And it's like almost impossible to do.
00:17:45
Tim
It's still a critical, right?
00:17:46
riptide
Mm-hmm. Mm-hmm.
00:17:46
Tim
But how are you going to get it? So it can still state like, yeah, yeah, get get a critical for this competition and win like 20k. But it's like almost impossible to do. This is what I really dislike when this happens.
00:17:58
Tim
And I see it from time to time. This is essentially what we're not trying to do. unify Like getting those criticals so high that you cannot even unlock them.
00:18:08
Tim
um But yeah, back to the back to the competition question. so Again, two months ago, we didn't have anything. And I guess everyone was just doing a really great job at, you know, like acquiring leads all over the market.
00:18:21
Tim
Cantina was dominating as always. I'm actually surprised that they only have one competition right now. C4, Sherlock, everyone was feeling comfortable. And, you know, we are we were trying to find, you know, that niche. I want to say that we had, you know, a few leads in progress, such as VeChain and Ripple, which are currently announced.
00:18:39
Tim
Those take time, you know, to work around those legal questions and everything. But then, ah you know, and we we got a few returning customers, Fox Finance, Alchemix, they decided to, you know, host another one.
00:18:52
Tim
um And then again, through the through the work of of our salespeople, we we kind of feeling better right now. But to be honest, if you like ask me directly, like, why do you think you have four and everyone has like one these days?
00:19:06
Tim
That's a great question. I'm surprised that everyone has one. That's, ah I don't know. I don't even know if it's a good or a bad signal for the market. Maybe it's just...
00:19:15
riptide
That everyone has won. What do you think? I mean, you guys, maybe maybe the stars aligned.
00:19:17
Tim
Yeah.
00:19:19
riptide
i don't know if there's nothing pointing to it exactly.
00:19:20
Tim
Maybe the stars align. Yeah, maybe the stars a align. i I want to say that, you know, all this... You you probably noticed that most of these projects, they're cross-hosting competitions from time to time.
00:19:31
Tim
Like, Ethereum was doing an attack-a-thon with us, then with Cantina... like a bunch of our projects they were doing like with us then again with with other providers so they're like popping here and there right so the alchemix was doing with continue I think then went to us so it's just maybe it starts a line maybe it's just you know market is is favoring us which is great um do we have do we have more in our pockets yeah we do actually that is that is planned but for now yeah I mean it's it's great to have daily word in front of our eyes these days I'll be honest
00:20:07
Tim
I'm looking at it in the mornings.
00:20:07
riptide
you you got You guys should sponsor them. You guys should sponsor them just so so Alex can't be unbiased. Just get a big, big immune five better up there.
00:20:14
Tim
i think I think we're doing something with that. I'll be honest, we had a banner there at some point. I think we had it.
00:20:20
riptide
Well, let me ask you this too.
00:20:20
Tim
its I don't know where it is right now.
00:20:22
riptide
I want to ask you about the hot topic of contests is is ah the backroom dealing, you know the the self-judging.
00:20:22
Tim
Yep.
00:20:25
Tim
Let's do it.
00:20:31
Tim
Oh man, yeah.
00:20:31
riptide
ah like This is an issue that's it's ah sometimes talked about behind closed doors, but it goes on because You could fake KYC, get your partner to KYC, you're judging, all kinds of shady shit goes down.
00:20:40
Tim
yeah 100 100 100 so uh for for like for for the context we're also we're doing kyc of course on a minify right and some competitions they are required and
00:20:47
riptide
How do you guys deal with those topics? Like what what policies do you have in place? Have you uncovered bad behavior before? how do you handle it? Give us the details.
00:21:08
Tim
Thank God most of the clients, they say like, yeah, let's do it because I'm going to talk about this. um I'm just going to talk about, I guess, one funny case that's going to represent what's happening, especially during the QIC process.
00:21:23
Tim
So I'm also, you know, my team and myself, we're also the ones reviewing those applications, right? We're also judging like, okay, you know, we have an external provider that helps us.
Ensuring Fairness: Judging and Trust
00:21:35
Tim
And then we're also doing like a final check on the guy being like, okay, yeah, ah you, you pass, you don't, you need to provide something else.
00:21:41
riptide
This is just for admitting the guy into the competition.
00:21:42
Tim
And we have,
00:21:45
Tim
ah That is post actually. On on our platform, QIC is done post um submission and evaluation period. So like you got all your submissions, you submitted everything, you got them confirmed or closed.
00:21:52
riptide
Okay.
00:21:58
Tim
And then we basically go through those who have confirmed reports and we send them the QIC link. can we go like, yeah, if you want to get the payout, you knew that you you had to do QIC.
00:22:08
Tim
So there you go. Just do it now. And you know we'll you'll be eligible for the payment. um the The reason actually why we're doing this after is that we don't have a system in place to kind of project who's going to participate.
00:22:22
Tim
So, you know, we have the participants and then we, we QAC them before for context. ah So back to the story, we had a guy um who we found out he had a duplicate account.
00:22:34
Tim
So our system checked that he had two accounts participating in a competition. I won't know. I won't name the names of course, or the competition. And our system, the duplicate detection system, also for everyone who's listening, is 99.9% solid proof.
00:22:51
Tim
So when and if we're banning someone for a duplicate account, 99.9% that we are correct. There may be false positives. They're very, very rare. So we found out that this guy has duplicate accounts.
00:23:02
Tim
And both both of those accounts were eligible for a payout. So he found like two valid submissions here and there. And we QAC him and we tell him, hey, dude, we know that that is your second account. We know that you cannot pass with it. So we'll just ban that entity and you'll only get payments for this one. And he goes, oh, that's not my second account. That's my friend.
00:23:26
Tim
And umm I'm going, OK, can you ask that friend to submit a QIC? And his first QIC goes from you know ah an Asian part of the world, yeah that the one that is we know it's legit.
00:23:39
Tim
And then we wait for the second one. We to wait for a few days. And he goes, yeah, my friend friend finally responded. And here it is. And he submits i mean the most obvious bot document that you could ever imagine, i basically.
00:23:52
riptide
What was What are you saying?
00:23:53
Tim
African cards. Like, it's it's just like, cannot imagine the worst one yeah
00:24:02
riptide
Are you saying there's not a lot of Africans from Africa competing?
00:24:05
Tim
i want to believe I want to believe that they were friends. you know One from Asia, one from Africa, miraculously met on the competition at Immunify. And then you know I'm reviewing that. and I remember we're just laughing. We're like, dude, you spent some money on that and you're still trying to convince. well this This happens a lot.
00:24:23
Tim
Yeah, let's be honest. This happens a lot. we use You have to stay vigilant.
00:24:27
riptide
So the guy was trying to, he made two accounts and he was submitting the same findings to get more for like a dupe payout?
00:24:27
Tim
I'm not saying...
00:24:34
Tim
Yeah, yeah, yeah, yeah.
00:24:35
riptide
Oh, okay. Okay.
00:24:37
Tim
So even though even though the system is, you know, Sybil resistant, I know for a fact that people do that, like for a fact.
00:24:44
riptide
What about the judging?
00:24:45
Tim
um
00:24:46
riptide
Where are the stories of the sneaky judges? You said you outsourced this too Give us some details on that.
00:24:50
Tim
So, no, no, the judging is fully internal. The the judging is fully internal.
00:24:53
riptide
Okay, okay.
00:24:55
Tim
I'm proud of that. So we don't have any type of, you know, shady people coming in house and like recommending us to open that report or close that one.
00:25:00
riptide
Mm-hmm.
00:25:05
Tim
All of our judges are full-time employees of Immunify. They are employed for quite some time and they do all the evaluations and all the reviews. Of course, ah This still results you know in mediations, in escalations.
00:25:19
Tim
I'm not saying that you know we're always correct. um But the key there is that, first of all, I guess the community is a bit more comfortable with the fact that you know we're doing the judging and not someone else, and they don't have to battle like you know ah someone from the community that they know who is judging their reports. that is I guess that is that is much simpler.
00:25:43
riptide
Is it anonymous? I know CodeHawks was saying that they have anonymous everything. Do you guys do that?
00:25:50
Tim
Anonymous in terms of what? Like in terms of who are you talking with from a mini-fi?
00:25:53
riptide
you don't know You don't know who the SR is. when When the judge is judging you, you don't know who either party is, i think.
00:25:59
Tim
Oh no, we do.
00:26:01
riptide
You do anonymous or not?
00:26:01
Tim
We do, we see you. No, we see you. We see the whitehead. We know who is that.
00:26:04
riptide
why Why is that? i liked I like the anonymous thing. like Why would you identify?
00:26:09
Tim
Why do you think the anonymous thing is better?
00:26:09
riptide
because Maybe...
00:26:11
Tim
Let me ask you this.
00:26:11
riptide
Well, because if the judge has an extra grind with whoever, maybe they're a shit poster and they're like, you know what? Screw this guy for no reason. Who knows? You know, there's always some sort of bias that could creep in.
00:26:24
Tim
what Why do you think it's, you know, bad to know that the guy is shitposter? And you know for a fact, and then you see his another shitty submission, and you just kind of spend less time on it.
00:26:36
Tim
Why you think it's bad?
00:26:38
riptide
Well, I just think you should remove any bias that could exist.
00:26:43
Tim
I want to say that we're trying to act unbiased. I want to say that. And, you know, we keep repeating this to ourselves every day, saying, like, we're only judging by the report contents. And if Adrian was here, he'll probably scream at me at the moment and say, like, we always do unbiased judging.
00:26:59
Tim
And I would believe him, honestly. ah But...
00:27:05
Tim
You know, at some point, you you you will see those those guys who are, you know, we we see those spammers almost every competition with like 40 to 0 closed valid reports.
00:27:16
riptide
Mm-hmm. Mm-hmm.
00:27:17
Tim
And like you understand that those guys, you know, they they won't get valid reports. that's That's for sure. All of them ah are AI generated, like AI yeah slope, right? And we're just we're just like closing them out. It's not like batting, but closing.
00:27:30
Tim
In terms of um every other contestant, every other submission that we received, that is you know a for thorough review of every report, ah even the closed one, everything that's been submitted.
00:27:42
Tim
and We do often reopen closed ones. We often close the confirmed ones you know if we believe that the judging was done incorrectly on project site. um But in in most cases,
00:27:56
Tim
I'm proud to say that we haven't had a major escalation on reports over the past few months, or maybe half a year. like you you haven't You probably haven't seen any kind of social fuzz around judging on Immunify, which I'm proud about.
00:28:10
riptide
No, nothing, nothing blew up recently, but how does the flow work?
00:28:11
Tim
Yeah. wait
00:28:14
riptide
I'm curious. So if, if you're, ah if you're a bug reporter, you're an SR, you'd file the bug and then it gets judged. And then is there an appeal process? Is the judge, does the judge have autonomy and his say is final?
00:28:27
riptide
Is there like an executive review community, a community at the, the project or at immune file? Like who can override what?
00:28:36
Tim
Yeah, yeah, yeah. Let let me let me ah describe the process here. So you're a security researcher, you submit a bug, it gets either escalated or closed. if it's closed, pretty simple route. you know You can request mediation and you can ask for that report to be reviewed again and potentially reopened.
00:28:56
Tim
um Or if it's escalated, ah it probably it it otherwise it gets confirmed, right? So the project agrees with that. And the first triaging is done internally. So the first level the first kind of level of filtering is done by us.
00:29:11
Tim
And then the actual confirmation or closure is done by the project at first. So this is like the live period of the competition. Either it's attack-a-thon or an audit competition.
00:29:22
Tim
let's say, i don't know, three weeks. At the end of those three weeks, ideally what we want to see is a number of confirmed and a number of closed reports. In most of them, ah well, not in modern most, in some of them, Whiteheads will request mediation and we will collect those requests, telling everyone that those will be judged at the end.
00:29:40
Tim
So we cannot do it midway not to disrupt the flow, we will review everything at the end. We then collect everything and the evaluation period starts, that purple rectangle on the website. And ah internal triagers, they start reviewing every single report.
00:29:56
Tim
Usually it's two people working on one competition to remove the bias, as you mentioned. So they're working independently and then they're like cross-checking their results.
00:30:05
riptide
Mm-hmm.
00:30:05
Tim
They go through through every single report, every single confirmed, every single closed. They match the severity, they match the duplicate GFinder statuses. They make sure that you know what is confirmed is confirmed, what is closed should be closed.
00:30:21
Tim
And we are arriving at the dispute period, as we call it, or the appeal period, whatever you whatever you like. In there, we ah tell everyone that, hey, you can now look again at your dashboard.
00:30:33
Tim
We've ah addressed every single concern that every one of you had. And if you still have concerns, and by addressed, I mean we posted our assessment. We like sharing, saying like, hey, you were correct or you were incorrect.
00:30:45
Tim
and then we are giving them another chance a 48-hour window to request appeals to to say that we were wrong but only in certain cases so for example if your report was downgraded in severity or if it was closed after it was confirmed in every other case we won't review it because you know if it was closed and it's closed again well i don't think it's something will change there why are we not reviewing everything again during the appeal period it's the time so i know how everyone wants their rewards to be in their pockets within days we're trying i had a dream of running a an evaluation of a competition within a week never happened i think our record was like nine days or something
00:31:29
riptide
Mm-hmm.
00:31:32
Tim
um But yeah, to save time where, well, I don't don't want to say ignoring, but we're not doing certain reviews, but we're doing reviews if we think you know your your request is legit according to those rules.
00:31:46
Tim
So we do a secondary review. And here comes the interesting part, the something that I haven't shared before, I think, is we share the results with the project. We tell them, hey, ah here's what we have. right Here's what we have for you. We reviewed everything. We judged everything.
00:32:00
Tim
Here are the final results. And here comes the interesting part, right? ah Ideal scenario is the project says, yep, great. Paying it out tomorrow. Funding the vault.
00:32:12
Tim
Done. Here's here's the the payment for everyone. Everyone is happy. and And what could happen is that the project goes, well, actually, you know what? This critical is not a critical because the there was a documentation that no one was aware about, but we have a timestamp somewhere which invalidates it's too low.
00:32:34
Tim
Before I continue, how would you approach this type of scenario? Like, where...
00:32:38
riptide
It sounds difficult to be honest, unfortunately.
00:32:38
Tim
what Yeah. Yeah. Like, how... what What would you do, right? they They're proving themselves to be right. They're saying, like, well, I have all the proofs and I'm telling you it's not a critical.
00:32:50
Tim
And you go, like, but but the code base, the documents, like, the everything that you have, they go, like, yeah, sorry. What would you do? Like, what's...
00:32:59
riptide
From from a perspective as an sr
00:33:03
Tim
I guess yeah from an SR especially when when you know we're approaching SRS and telling them this
00:33:09
riptide
I would say that, well, if if everything that was, you know, from whatever commit, whatever date, if everything was out there for all the materials that you're supposed to have and the bugs valid based upon that, you know, then I would argue that I am in the right.
00:33:26
riptide
If they had information that was not available yet, it was timestamped like before that, but it wasn't disseminated.
00:33:26
Tim
yep
00:33:31
riptide
Well, I mean, that's that's not fair because you wouldn't have had enough. You wouldn't have had the information.
00:33:38
Tim
Exactly. Exactly. And this is the tough part, right? Because you ah you can spend months on this. And a great example is fuel at Akathon. I think I can say it now.
00:33:51
riptide
Mm-hmm.
00:33:52
Tim
Like everyone was wondering why did it take like three or four months to release the results there and pay out to security researchers. Well, Criticals. Criticals and highs.
00:34:02
Tim
We had... I think if if we were in one office with fuel guys, we would probably fight over some bugs at some point. but Like, really fight because there were very heated discussions around some reports and we really, really wanted to, you know, favor some of them um towards the community. And, you know, thank God that everything was unlocked in there. I think the full million would pay was paid out.
00:34:26
Tim
But it still happens. Like, I... unfortunately you know cannot give more concrete examples because even some of those competitions are currently in in progress you know where this is happening but uh this this happens and here's the thing like ideally i'm with you i'm like yeah we we just tell you that we judged it we think it's correct we have all the info we present it to you just pay out but what if they say no right What if they just say, yeah, we we have the funds, that leverage that we talked about.
00:34:58
riptide
Mm-hmm.
00:34:58
Tim
And they go like, we don't want to pay. So you're faced with this horrible scenario of, um you know, not them not paying out either everything or like nothing, which is even worse. They just like churn at the end. this is what happened with Spectra, basically.
00:35:17
Tim
Or you try to find a middle ground solution. The problem with this whole approach is that you will lose somewhere. Like you either lose on the community side where you notify those people and saying like, Hey, sorry, we have to downgrade it or you lose with the client and you know, you, you lose the trust, you lose the brand, that type of stuff.
00:35:38
Tim
So how to balance it? Great question. I guess we're just not there yet in terms of the whole agreements around only competitions and how they're done.
00:35:46
riptide
Well, I think you guys are, you need to be that central trusted authority
ImmuneFi as a Trusted Authority
00:35:51
riptide
in this decentralized space, right?
00:35:51
Tim
Of course, of course.
00:35:53
riptide
Because you guys, your your clients are all these SRs, your repeat clients. Maybe you get a one-off project that comes to you. Maybe you get recurring projects. so you But you have the SRs that are coming to hunt for these competitions.
00:36:06
riptide
So they expect you to kind of, you know, hopefully... have that reputation or it's positive, unlike the competition platform that won't be mentioned. And you keep that trust high by by enforcing certain things, right?
00:36:20
Tim
cracks me bit.
00:36:21
riptide
So if you tell if you tell the protocol, listen, it's non-negotiable.
00:36:23
Tim
Yep.
00:36:26
riptide
You put whatever you're going to pay out with us and we hold it. I'm sorry. If you can't do that, you can't be on here. And maybe you lose some clients like that. Maybe you stiff arm them and then they come back and put it on anyway.
00:36:38
riptide
But I think you need to be firm on that because that makes the leverage over you non-existent. And so that way, all this kind of these little things that happen, you guys can say, hey, look, we're the trusted third party here.
00:36:51
riptide
but We're trying to get rid of a DeFi, right? We're the trusted third party, and we're going to make sure that the SR gets a fair shake and that you know each party is treated ah equally.
00:36:54
Tim
Yeah.
00:37:02
riptide
But you can't do that if someone's exercising leverage on you on one side. Because the SR doesn't really have leverage except for shitposting about you and bringing down your reputation. Other than that, the CT news cycle moves on, and it's like, oh, well, you got fucked you know next time.
00:37:12
Tim
Yes. Yeah. Yep.
00:37:16
Tim
ye
00:37:18
Tim
What what i love love about crypto and especially know all the shit posting that happens is that it's very easily forgotten. Like you you see that you know storm happening with whatever is the report, whatever whatever happened.
00:37:31
Tim
And then you know a few weeks later, ah it's again, it's come. Like someone remembers, yeah, sure, there was an escalation. but then again, back to the normal stream.
00:37:39
riptide
Yep, yep. ye
00:37:40
Tim
I do agree with you, Riptide. I do agree with you. ah Unfortunately, there are people, or fortunately, as a minify, who will disagree with you on this and you know in terms of losing or not losing a client.
00:37:51
Tim
But this is the internal escalations that also happen. ah In terms of... I guess I want to share some insights here. In terms of like how an SR can approach these type of scenarios from an SR seed.
00:38:06
Tim
How to make sure that you are...
00:38:11
Tim
not like fully protected from this type of scenario but even if you are in it you understand why this happened like first of all i want to say that we have a certain layer of security researchers who always participate in our competitions and they're always you know it's not that they understand the situation but they um are very thoughtful about each and every of their reports like even if they submit something which projects invalidates immediately or you know they start arguing, they don't get into the heated conversation immediately. They don't try to escalate it. They don't try to like argue with them or like shit on them, that type of thing.
00:38:50
Tim
Most of them reach out to us to ask us to handle those conversations because usually this is what what is better for everyone.
00:38:57
riptide
Mm-hmm.
00:38:58
Tim
And I highly recommend to everyone who feels that you know during a competition immunify, you feel like you're being misjudged or not heard or especially misjudged. Always, always reach out to us because we have experience with it and we are here to protect you. I always told that we're here to protect you, to make you your day better. And we will help you with that report or with that submission.
00:39:20
Tim
And the other thing that I will share is that You know, details in your report really, really matter. And it's also important to note that it's not only the um ah context of your first report, you know, the the first kind of um when you do the submission in the description where the POC works, you can still submit more information in the future when the competition is running or, you know, when ah we're still doing the evaluation, you can still continue to submit working POCs or valuable details for us to judge on that and to make an argument against the project if an escalation happens.
00:39:57
Tim
So we're fully, fully prepared in case, you know, you feel like your report is very edgy and you feel yourself, because I think most of the Whiteheads do understand that, you know, when they submit that edgy critical, they do understand that it is edgy.
00:40:11
riptide
Yeah.
00:40:12
Tim
I know that for a fact. Oh, yeah. like the
00:40:15
riptide
This is the best tip.
00:40:15
Tim
yeah
00:40:17
riptide
I'm just going to say that's an alpha drop right there. Tim just dropped some alpha on this podcast, right? yeah All right. This is the best thing because I'm a big fan of the whole art of negotiations and everything.
00:40:28
riptide
And sometimes I'm good, sometimes I'm not, and you know in real life and on blockchain.
00:40:29
Tim
oh yeah
00:40:33
riptide
But this this concept of a proxy negotiation where you have representation, this is throughout your life, you'll see how it's so useful.
00:40:40
Tim
yeah
00:40:42
riptide
This is the reason you get an attorney. This is the reason you have a real estate agent. this is the reason you get a mediator or a representative or, or anything. And so you're, because when you take it off that person, you have the third party argue.
00:40:55
riptide
It's always so much easier. Like if you ever, absolutely.
00:40:57
Tim
And it's also easier psychologically, right? Like you're you're no longer doing it yourself. You're no longer like ah letting emotions in. You're basically telling an unbiased party to handle your emotions, to handle your negotiation, which is what we're doing.
00:41:09
riptide
who
00:41:12
riptide
Absolutely.
00:41:14
Tim
and it And it is free, right? Everyone knows that. You can request mediation at any point of time in any report. You won't be charged for it or anything like that. It's part of the process. And...
00:41:26
Tim
Yeah, it's it's it's it's that. And the fact that you still have to, you know, stay calm and collect it, even if you see that the things are heating up, right?
00:41:38
Tim
Even if you see that, you know, we're not very successful with our arguments or the project is a bit stubborn, don't let your intrusive thoughts in because some whiteheads do that.
00:41:47
riptide
yeah
00:41:47
Tim
They later apologize. They go like, sorry, I like, I went over with the line. it it It doesn't help because then the project can use that as an argument against us as the most terrible thing.
00:41:56
riptide
Yep. Yep. Always take a walk, sleep on it. Just chill out.
00:42:00
Tim
Yeah. yeah Yeah, exactly.
00:42:01
riptide
Yeah. Do not allow emotions to come in.
00:42:01
Tim
it's not It's not that you have to respond in five minutes. Yeah, yeah, yeah. You can respond to tomorrow. That's fine. um the The windows are...
00:42:09
riptide
It's because so much money's on the line and people get amped up. They're like, oh shit, they've they've jeopardized my cashflow. And you just got to step back, say, hold on, let me form a nice objective argument
Handling Disputes and Improvements
00:42:22
Tim
Yep.
00:42:22
riptide
with no emotions at all, completely professional.
00:42:25
riptide
That's the best way to do it. And through through a proxy is honestly the best way, like you're saying. Now that's the true alpha and anyone submitting any bugs through competitions or otherwise, definitely make use of the mediation.
00:42:38
riptide
and That's a killer tip.
00:42:39
Tim
Yeah. Yeah, yeah, absolutely. And then, you know, and that another alpha drop is that what I mentioned is that I know that a few SRs and, you know, when you when you find that sweet critical, right, which is not a direct theft of funds.
00:42:54
riptide
So sweet.
00:42:56
Tim
Yeah, which which is not like that obvious. Okay. And we all know a person in the industry who really loves to battle over criticals, which are not really critical. Yeah, we're not going to. name names but uh so when you know that your report is like i know what i know what you're thinking you're like sitting back in your chair and you go like yeah that that is a grip if you look at it at this angle but in reality you can downgrade it to a griefing you know that type of thing think about it like think about it carefully think about what else can you provide to make your case to truly make us understand and the project understand that it is a critical bug
00:43:22
riptide
Yeah. Mm-hmm.
00:43:36
Tim
And I understand that some of them are not that cut and dry. Yeah, it's it's the the most obvious bug is how you can steal funds, of course. It's not always the case. So try to basically make your case in court. yeah Sorry for the expression.
00:43:51
Tim
But this will really, really help everyone who is involved in the judging process. That is alpha drop number two, hopefully.
00:44:00
riptide
I like that.
00:44:00
Tim
Yeah.
00:44:01
riptide
Packing it with alpha. No, i like I like what you guys are offering.
00:44:02
Tim
Yeah.
00:44:05
riptide
And it sounds like the guys can get a fair shake over there. And there's actually a path to arguing and and escalation. And it's it sounds like you guys have or figure it figured out.
00:44:16
Tim
Yeah. what what Honestly, what do you think ah maybe something that you saw in your community? What do you think you know we can do better on that side? Because we're always here to improve, right? And I know that the whole escalation thing is tough.
00:44:31
Tim
It has always been. Yeah.
00:44:33
riptide
I think what what you're proposing sounds great.
00:44:34
Tim
Yeah.
00:44:35
riptide
it You should have, just just give the, you know, it's it's like a courtroom, right? Give each each side a say and just treat it fairly. That's all.
00:44:44
Tim
yeah
00:44:45
riptide
don't Don't give weight on one side because you hold some sort of ah monopoly or oligopoly power in in this space. You should give equal say to each and it just results in a better outcome.
00:44:57
riptide
The guy wants to come back and compete. The protocol feels like they got their money worth. So, Just find that balance.
00:45:05
Tim
Yeah. Yeah. Finding the balance. This is where we started, right? Finding the balance in the competition is ultimate. is the ultimate Ultimate source of truth.
00:45:16
Tim
Yeah.
00:45:17
riptide
So on another topic, Tim, you said you also are in charge of audits as well, right?
00:45:17
Tim
um
00:45:22
riptide
Which
Future Outlook and Closing Remarks
00:45:23
Tim
That is true.
00:45:23
riptide
I don't see much publication about that.
00:45:25
riptide
I'm just curious with ImmuneFi. Is that a pretty active space for you guys?
00:45:28
Tim
That is a bad sign. That is a bad sign that I'm talking with you. like, what is a Minify Audits? Yes, we're not doing enough enough marketing there.
00:45:34
riptide
Yeah.
00:45:37
Tim
So we started doing them a few months ago, um late to the party. I'm going to admit that. Everyone is already in that field for quite some time. um We are doing it a bit differently. So instead of making, you know, contracts with SRs and kind of tying them by their hands, saying that they can only do this with us, we gathered, you know, a cohort of people.
00:46:02
Tim
um basically best of the best all-stars if you heard about them those are like our best srs and we we told them like hey yeah you can we we will offer you an audit at some point if we have leads and you know you can participate and we gather all the gathered all the information from them their skills their preferences you know um time zones paychecks and everything and now we can offer this to the community and and this is also ah strong selling point in terms of
00:46:06
riptide
Mm-hmm.
00:46:31
Tim
we're not offering you auditors, we're offering you white hats in the first place, or who have a very non-standard way of thinking and finding bugs.
00:46:36
riptide
Mm-hmm. Mm-hmm.
00:46:42
Tim
And yeah, since then, we're trying to squeeze ourselves in the audit market, which is actually very you know very much packed rather than an audit competitions market. Yeah, we have some some dominating players, right?
00:46:54
Tim
Zelex, Spearbit. ah some small boutique firms, which are also like very dominant in their fields, um occupying, you know, like the whole languages, for example. And yeah, then we have us trying to find our niche too.
00:47:08
Tim
Like we're still on the way, I guess. It's tough, tougher than I've expected. But yeah, if any project is listening, we're here. Yeah.
00:47:19
riptide
Yeah, I think i think i ImmuneFi is the number one in this space, to be honest. I'm so biased, but I think you guys are, yeah but obviously, ah no, i think you guys are doing great.
00:47:27
Tim
You are, dude. You are. Thank
00:47:31
riptide
I also like what CodeHawks is doing.
00:47:32
Tim
you.
00:47:34
riptide
I got to relook at Sherlock. I haven't looked at Hack and Proof, their competitions at all. But I'd like to to talk to those guys as well, give everyone a ah fair shout out.
00:47:41
Tim
Yep.
00:47:45
riptide
But ah Tim, sounds like you get a baby in the background. Don't want to keep you. But hey, thank you for coming on the pod today. ah It's been great. And we will see you guys next time on the blockchain.
00:47:55
Tim
Thank you. Thank you so much for having me here. ripta This was amazing.
00:47:58
riptide
All right. All right, man.
00:47:59
Tim
Thank you.
00:48:00
riptide
Thanks.