Sev@00xSEV
Results and lessons from ~1yr (2025) of full-time BB on @immunefi
- 3 bugs marked as Crits and paid
- 2 Crits confirmed but not paid for >5-6 months
- spent ~3 months on this project
- the project has been unresponsive for months now
- just recently the BBP was paused
- I’m hoping they’ll pay eventually; it would be my biggest payout so far, but the chances are pretty slim
- the project even paid me for a different bug and has paid other people before, but decided to ghost here
- TVL, max bounty, and fees (from DefiLlama) show the project is an active medium-sized one with solid fee income, not some abandoned thing
- you never know if you’ll get paid or not and you have zero leverage
- 0 dups, so that’s probably good
- My income was lower than from contests in 2024, those 2 unpaid Crits would make a big difference
- If you check the immunefi leaderboard for 2025, you can see the number of paid reports is usually not that big, most often single digits
- compared to contests where you can find 10s or 100s of bugs per year, the variance in payouts is much higher
- it often comes down to 1–2 bugs per year that pay >50%, so if you don’t get paid on those you take a big hit
- It was motivating in the first months when I got several Crits
- But later I had much less motivation because
- long payment times
- long reply times (SLA is almost never respected)
- fewer bugs found, less feedback
- zero communication with the project before you submit the bug
- Strong upward and downward spirals: good results => learn more => get better, and the opposite
- What I like about BB
- you can go as deep as you want, as slow as you want, into so many projects and rabbit holes
- full freedom, no deadlines, no responsibilities, no schedule
- escalations on Immunefi work slowly (1–2 months+ usually) but they go deep into the issue
- feeling appreciated, even a simple “good find” after a month+ on a project makes you feel it wasn’t in vain
- What I didn’t like
- you are ignored all the time
- you never know when the project will reply, sometimes it’s month+
- you never know when Immunefi will reply on the issue, even if you ping in Discord you may just get something like “we are looking into it, will reply to your escalation asap” and then it can still take month+ to get a real answer
- no communication with the project, you need to learn everything on your own
- hard to navigate all the rules and define category and severity, and since you submit bugs so rarely the bureaucracy feels new every time
- issues can be closed with no explanation, you work for months and just get “Closed, out of scope”, then you ask and it turns out to be more like “no fix no pay, if this loss happens we will just top up the contract from treasury”
- you often feel low-balled, sometimes it might really not be a C but an M, but more often than not it feels like your effort is underappreciated
- overall it feels more lonely than contests
- you talk with the project or Immunefi maybe once a month or once every few months
- most of the time it feels like talking to the enemy, me against them, the project wants to pay less and pay later, you want to get more and get it faster (at least respect the SLA)
- it doesn’t feel like you are on the same side, more like you are in a fight
- no shared chat or common context like in big contests when all of X/Twitter is talking about a single project (see Maker contest), here you are hunting on your own
- Some thoughts on why the results are worse than I expected (and worse than last year in contests)
- Jump between platforms?
- each platform has its own rules, what gets paid in contests and is appreciated in private audits can be closed with no explanation in BB
- so it might be that I was looking in the wrong places and spent my time on leads that were never going to be paid anyway
- Didn’t learn enough?
- on BB you miss a lot of the learning aspects of contests, if you miss something in a contest you usually learn about it pretty soon, but in BB you don’t have that feedback loop
- you don’t really see how you compare to others (did they just get lucky, was I just unlucky, did I just choose the wrong project), without competition there is less motivation to learn and improve
- Bad pace?
- when you have so much freedom and almost no feedback, motivation slowly goes down, and your speed goes down with it
- No team? No social?
- I know this is my biggest leak overall, but in BB it’s an even bigger problem than in contests
- after a contest a lot of people want to discuss it, the issues, the mindset, the meta-game, etc
- less motivation to do X/Twitter, because it feels like if I share what I’m working on it might attract others to the same projects and I’ll start getting dups. And overall it feels like it’s me against the world, so why share (not necessary true)
- Going too deep into things that are not fruitful?
- with no deadlines and no pressure it’s very tempting to just explore how some tech works, just for fun
- hard to say if that will eventually pay, and it’s harder to stay focused on the most dangerous places
- I tend to spend months on one project, which is very risky if they don’t pay, and there are diminishing returns for most projects after 1–1.5 months
- if I didn’t go that deep into every area I don’t fully understand, maybe it would be more like 2–4 weeks per project
- I often feel like I need to check every idea I wrote down, but in reality the top ideas (marked as high probability by me) are the ones that pay, and 90% of other ideas are good for learning but probably not worth the time
- Maybe no talent? No skills?
- hard to judge myself
- overall there are some signals that I’m not that bad, 6 confirmed Crits in a year is probably ok
- Too inflexible?
- when I first came to audits I followed a very checklist-heavy approach
- now I’m more intuitive, I try to see what feels fishy, but I still rely on checklists and on going through the early ideas
- I lean heavily on AI, it’s a new thing I picked up that changed my approach a lot
- the projects I choose are mostly in my area of expertise and interest, maybe trying new languages or new types of protocols would help
- Bad mindset?
- many BB hunters jump quickly between projects, I still treat it more like a private audit and stay on one project until I feel there is nothing more I can do
- many people do something like a 1 week intuitive scan and then move on
- many work on several projects in parallel
I'm still thinking about what to focus on in 2026
Right now I'm pretty tired of BB, but that might change after a break
So probably some contests, maybe joining a team if I find one
I usually set my yearly goals in January, so there's still some time to think and decide on the direction
