- Discussions/
- #238/
Proposal for Enforcing Timely Payouts in Line with Immunefi’s SLA
In the context of web3, where security is paramount, maintaining trust and transparency with whitehats is essential to ensure the continued protection and resilience of our ecosystem.
According to Immunefi’s Service Level Agreement (SLA), projects are expected to process payouts within 7 days of report confirmation. This standard exists to foster a positive and reliable relationship between projects and researchers. However, recent whitehat submissions — and direct feedback gathered from several researchers who have submitted reports to Hydration — suggest that payouts have been delayed for over a month in some cases, significantly exceeding the agreed-upon timeline.
Delays in payouts not only breach Immunefi’s rules but also risk discouraging whitehats from continuing to engage with our program. Many of them invest substantial time and expertise in finding vulnerabilities that protect the protocol and its users. Failing to reward their efforts promptly can damage Hydration’s reputation and reduce future engagement from top security researchers.
For this reason, I would like to propose a policy to consistently uphold the 7-day SLA for confirmed reports and ensure that all whitehats are rewarded within the timeframe defined by Immunefi. This would demonstrate Hydration’s commitment to ethical security practices and strengthen its position as a trustworthy and researcher-friendly protocol.
Let’s lead by example and make timely payouts a core part of our commitment to security and community trust.
Hydration team is super committed to security and is trying to provide fixes in the best effort. Most of the time, the proposed timelines by Immunefi are enforced internally, but it can happen as with this one specific scenario this post is referring to, that the issue is small but relatively hard to fix.
While we are committed to not unnecessarily prolong payouts. In this case the hacker was informed that the payout can only happen after the issue is fixed. Which is unfortunately not the case since we had bigger issue that we needed to solve first. I am not aware of any other delays to payments. We are committed to hold ourselves to the highest standards. This proposal is however unfortunately not always possible to hold up but we always communicate with Immunefi and the hackers on why this happens and when it will most probably resolve.
I am wondering what were the other hackers reporting such thing, since there is just one severely "delayed" payout from our side that I am aware of. (because the issue is not fixed)
All proposals need to be decided by HDX holders. This is the way to decentralized governance. Perhaps technical staff can help find a suitable track to initiate proposals.