Alex Parra

On most bug bounty platforms, quadrupling your inbound means your team falls apart. Response times balloon, payouts get stuck, and researchers wonder if anyone is reading their hard-won reports at all. Not so on Immunefi. Immunefi's report volume quadrupled from mid-2024 to early 2026. More whitehats, more code reviewed, more critical vulnerabilities caught before they become nine-figure exploits. That growth hit our operations exactly how you'd expect. By Q4 2025, it showed. First response had climbed to 8.8 days. Resolution to 12.9. Confirmation to payout to 32.9. We saw the numbers. So we invested hard and heavy: Triage rebuilt from the ground up, better routing, better tooling, more reviewer capacity, tighter SLAs with real accountability, closer customer embedding to kill dead air between confirmation and payout. The results: First response. From 8.8 days in Q4 2025 to 2.4 days in Q2 2026. The fastest in Immunefi's history. Not a return to normal, but rather a new, more whitehat-advantaging floor. Resolution down from 12.9 days to 5.6 days. Cut by more than half in two quarters. On the one researchers care about most, Confirmation to payout... we want from 32.9 days to 10 days flat. A 3x improvement while processing four times the volume we handled eighteen months ago. Every metric is at its all-time best. During the highest-volume period in Immunefi's history. And getting better by the day Security researcher experience is security posture. Slow payouts train the best people to stop looking. Speed compounds. So does trust. That's why we're fighting to make your experience better, every single day.

Today, we are introducing Immunefi Studio, a new suite of tools built with and for Immunefi’s security researcher community. Finding a real bug is only half the battle. The other half is proving it clearly enough to get paid. A strong finding can still be weakened by missing evidence, unclear impact, vague PoCs, unsupported claims, poor framing, or duplicate risk. Immunefi Studio is designed to help researchers before two critical moments: Before they start hunting and before they submit. The first tools are Studio Review and Studio Signals. Studio Review helps researchers strengthen bug reports before they submit to a real program. It gives structured feedback on clarity, PoC strength, impact quality, plausibility, missing evidence, unsupported claims, and duplicate risk. Sometimes the bug is real, the report is strong, and the impact is clear, but the same underlying issue may have already been reported. Studio Review helps researchers check whether their report may overlap with an existing or previously submitted finding in real time, so they can sharpen their angle, clarify what makes their discovery different, and avoid wasting their best work. It also helps researchers write, review, improve weak spots, and submit only when the report is stronger. Studio Signals helps researchers decide where their time is most likely to pay off. Choosing the wrong target is costly. Researchers can spend hours reading docs, tracing contracts, building context, and looking for a real vulnerability, only to realize the program does not move at the speed, severity profile, or payout opportunity they expected. Studio Signals gives researchers better intelligence before they commit serious research time. It shows real program data, including paid-to-closed ratio, payout speed, confirm-to-paid velocity, response speed, outcomes across severity levels, and other key signals. The headline max bounty is not the full story. Studio Signals helps researchers look beyond brand name, max bounty, and guesswork, so they can choose programs with more context and better alignment to their skills, goals, and time. Together, Studio Signals helps researchers hunt smarter, and Studio Review helps researchers submit stronger. Immunefi Studio is currently rolled out to 20% of users, with a full release coming soon. Start using Immunefi Studio today or join the waitlist: https://t.co/l1W4hC8cCY More tools are coming.

Over the past year, we’ve been improving the mediation process to reduce that waiting. This chart shows the result. Time to first response is down. Time to resolution is down. Time to payout is down. The goal is simple: help valid work move through the process faster and with less uncertainty.

Big platform update for Immunefi All Stars: Streamlined report escalations. We've removed the friction that was getting in the way of top whitehats doing their best work. What it means for Immunefi All Stars: No submission fees. No rate limits. No mediation cooldowns. No identity gates that slow down urgent disclosures. The All Stars have earned this through consistent, high-quality work on the platform - they've proven they're here to protect protocols, not spam them. These are the researchers who've built trust through performance, and we're building the platform to match that trust. When a critical vulnerability is found, speed matters. Top whitehats don't need to be slowed because of platform anti-spam bureaucracy. This is what it looks like when we actually listen to our top researchers and remove the barriers that shouldn't have been there in the first place. The goal has always been simple: make it easier for the good guys (all of you!) to win. Happy hunting.

Real talk: we should have shipped this earlier. Starting now, duplicate submissions on Immunefi will no longer count against a security researcher's standing on our platform. If your report happens to be a dupe, it won't be held against you in the automated restriction system. Period. Dupes are a normal part of bug bounty work. Two researchers can independently find the same issue within hours of each other. Penalizing the second submitter discourages exactly the people we need most: the ones hunting hard, moving fast, and reporting in good faith. The researcher experience on Immunefi is the single most important lever we have for keeping crypto safe and secure. Every friction point we leave in place is a tax on the people protecting billions in user funds. We owe them better, and we're going to keep tightening this until the platform feels like it was built by researchers, for researchers. A whole lot more changes in this direction coming. Keep the feedback coming. SR Summer is coming on Immunefi.

Most security firms are quietly moving away from audit competitions. This is one of the biggest mistakes happening in crypto security right now. There is a simple way to think about audit value: what does it cost to find a critical vulnerability? We looked at the actual data on what it costs to find critical bugs in crypto, and the numbers are not surprising. Finding a critical vulnerability in an audit competition costs $6,548 on average. The exact same severity bug through a bug bounty program costs $114,000. That is 17x more expensive for the same result. Now look at the traditional audit model. Some top firms charge $100 per line of code. Others charge as high as $25,000 per auditor per week. A single engagement can easily run $200k to $500k+, and you are getting maybe 2 to 4 people looking at your code. But cost per critical is not even the most interesting part. The interesting part is the structure of who is looking at your code. When you hire a firm, you get 2 to 4 auditors. Maybe they are great. Maybe one of them is having a bad week. You are making a concentrated bet on a small number of people. An audit competition attracts hundreds of security researchers. These are some of the best hackers, people who have found real vulnerabilities in major protocols. These hundreds of researchers are now armed with AI tools. They understand codebases faster. They write PoCs faster. They find bugs that would have taken DAYS in just hours. Think about what that means. You are not just getting hundreds of humans. You are getting hundreds of AI-augmented humans, each running their own workflow, each with their own intuition about where bugs hide. The scaling dynamics are extraordinary. The firms moving away from competitions are optimizing for predictable revenue, not for their clients’ best outcomes. That is understandable from a business perspective. But if you are a project choosing where to spend your security budget, you should optimize for bugs found per dollar spent. Audit competitions now also have scaling pots. The prize pool grows with the scope of the codebase. This aligns incentives in a way that fixed-fee engagements never can. But what about AI spam, low-quality submissions, and the time it takes to triage all of those submissions? Immunefi is addressing these with mechanisms like pay-to-submit, managed triage, and AI triaging agents, which are already showing very strong promise. The best security strategy is not either or. But if you have a limited budget and you want the most eyes, the most diverse skill sets, and the best cost per finding ratio, audit competitions are still the obvious choice.