AFO
148 posts
English
Just shipped on Immunefi: Priority Mediation.
For a while now, security researchers have been telling us the same thing: when you've put real work into a report and you believe in it, waiting weeks for a mediator to pick it up is brutal.
Priority Mediation now lets researchers who are confident in their submission pay to get faster resolution with a hard commitment: resolution within 30 business days, mediator status updates at least every 7 business days along the way.
A couple things I want to be explicit about, because they matter:
1) Free mediation requests are reviewed by the same trained mediators, using the exact same decision framework.
2) The tier you choose affects the queue, not the verdict. A paid mediation does not buy you a favorable outcome. It buys you speed and additional hands-on activity. Every case gets the same impartial review, full stop. If we ever blurred that line, the whole system would be worthless.
This is one of several changes we're shipping based on direct researcher feedback.
Keep it coming so we can usher in SR Summer.
English
@MitchellAmador @asen_sec I just got banned, even though most of my submissions are valid and duplicates.
English
Yes, I am working on it. Its challenging to look back in time and figure out a solution to historical bans, but if we find one we will.
We know our ban system has been too sensitive these last few months, while we solved the AI slop problem, and we want to fix it for the community.
English
AFO retweetledi
AFO retweetledi
@cantinasecurity @monad backported one of my reports on your platform then marked it as spam and didnt pay me
English
Big news from Immunefi: we just shipped Proof of Duplicate, and it's *the* feature I've been wanting to see for a long time.
For years, one of the most frustrating experiences a whitehat could have was submitting a report, putting in the hours of research, the careful write-up, the working PoC… and getting back a one-line "duplicate, closing."
No justification and no transparency. No way to push back. That era is over.
Starting now, when a submission is closed as a duplicate, it points to the original report. The researcher can read the original. They can compare the reports for themselves... and if they believe the call was wrong, they get a formal dispute button.
Verdict upheld means the report stays closed. If the verdict is overturned, the report gets reopened and goes back through triage like nothing happened, including reward eligibility.
This matters beyond the feature itself. The whitehat community is the immune system of crypto. Every protocol secured, every exploit prevented, every billion in TVL that didn't get drained.
For this immune system to keep working, things have to keep improving for whitehats. Proof of Duplicate is just one piece. There will be more.
SR Summer 2026 is coming.
English
🤔 so all of them are judged now, 7 are valid, 1 critical, 3 medium, 2 low and 1 insight. not too bad i guess! didn't expect to find a critical(though submitted as med) in Base lol
BRDNS@brandon_shi
i guess this concludes the Base contest for me. submitted 8 issues in total, 4 confirmed thus far. unfortunately didn't find any crits, hope i can win enough to cover submission fees.
English
@brandon_shi thnx!, between claude and codex. do you think codex performs better?
English
Today was the most fun I’ve had in my pursuit of a future in cyber security. I decided to get openvpn configured on my Kali machine, but got it configured for the non-academy HTB. This gave me an idea and away I went.
I got Codex all geared up with hand written custom workflows for every stage of pentesting. I even took the time to have it give detailed reports of findings and methodology across each stage in a comprehensive way for someone at my level to understand and learn from. It includes exceptions for when potential new findings/vulnerabilities arise and prompts the user to input how to proceed.
Eventually I’ll add the last few aspects of a pentest (post ex, lateral, the exceptions that can happen in those phases and then of course the PoC.
After about 5 minutes of playing God, I got a bit bored, but it dawned on me that I could essentially use Codex as a “mentor” giving tips throughout the Box and that will have a detailed breakdown of every concept, command, method, exploit used during your session once you finish up.
I’ve got so many ideas for this, it’s gonna be a fun week!
#RoadToRedTeam
English
@MitchellAmador Good to hear. I mean I just got a report closed where the feedback from team was:
1. Previously reported
2. Its a bug but not a security issue and we don't pay for this
so really appreciate this idea and hope closed reports becoming public or listed as known also come in next
English
Real talk: we should have shipped this earlier.
Starting now, duplicate submissions on Immunefi will no longer count against a security researcher's standing on our platform.
If your report happens to be a dupe, it won't be held against you in the automated restriction system. Period.
Dupes are a normal part of bug bounty work. Two researchers can independently find the same issue within hours of each other. Penalizing the second submitter discourages exactly the people we need most: the ones hunting hard, moving fast, and reporting in good faith.
The researcher experience on Immunefi is the single most important lever we have for keeping crypto safe and secure. Every friction point we leave in place is a tax on the people protecting billions in user funds. We owe them better, and we're going to keep tightening this until the platform feels like it was built by researchers, for researchers.
A whole lot more changes in this direction coming. Keep the feedback coming. SR Summer is coming on Immunefi.
English
AFO retweetledi
@monad please communicate with
@cantinasecurity about my security report you backported and then closed as spam.
English
English
@origami334 @nnwakelam you would need significant resources, I use them Via API.
English