FAQ
Common questions about triage timelines, payments, disclosure, and accounts.
#How long does triage take?
A triager makes first contact within 48 hours of submission, counted in business days (Mon–Fri) — Critical reports fastest, typically within 24–48 hours. This is independent of how quickly the project responds; we don't hold findings waiting on the project. Our target from acceptance to payout is about three weeks.
#Can I submit the same finding to another platform at the same time?
No. Submitting to Hunt places the finding under responsible disclosure for the duration of triage; simultaneous submission to other platforms (Immunefi, HackerOne, and others) voids the report. Once it's closed, resolved, or declined, you're free to disclose on your own timeline within the agreed coordinated-disclosure window.
#Does CertiK take a cut of my reward?
No. The project pays you directly from its own wallet. CertiK never holds or disburses funds — it runs independent triage and coordinates payout, and the payment is confirmed on-chain.
#How is my reward amount decided?
Your finding is rated impact-first into a threat level (Critical / High / Medium). For smart contracts, Critical and High pay a value-scaled amount within the program's published minimum–maximum band, based on the maximum extractable loss; Medium is a flat amount. For blockchain / DLT, each tier pays a single published flat rate. The full method — including the materiality gate and floor guarantee — is in Reward by Threat Level.
#What does "feasibility" mean for my reward?
Potential impact sets your starting threat level; feasibility then tests how practical the exploit really is. If the realistic, achievable impact is materially lower than the theoretical maximum, the threat level is downgraded (e.g. Critical → High) and you're paid at that tier — feasibility never scales the reward within a tier, and never lowers it below the final tier's published minimum. See Reward by Threat Level.
#Why are blockchain / DLT bugs paid a flat rate instead of value-scaled?
Network-layer impacts (a consensus halt, chain split, or node-resource attack) endanger the whole network's value and operation — there's no single measurable pool of "funds at risk" to take a percentage of, and a defensible estimate would need heavy, uncertain modelling. A published flat rate per tier keeps DLT rewards fast, consistent, and predictable while the impact taxonomy still places each finding in the right tier.
#Who decides the severity and the reward?
CertiK triage reproduces your finding and rates severity independently of the project. The project then confirms the finding and chooses the payout within its defined range for that severity. Severity is driven by real-world impact, not just whether a finding matches a rule on paper.
#What happens if the project goes silent?
The report doesn't disappear. Projects have a defined window to respond, and a report stalled well beyond it can be escalated for manual handling so CertiK can chase the project on your behalf. There's no automatic acceptance, but a stalled report won't be forgotten.
#Can I appeal a rejection?
A rejection by a triager is final. A rejection by a project is final unless the project re-opens it. Automated rejections can be appealed once into manual review. Issues that arise after acceptance — like a payout problem — are handled through Remediation rather than the appeals process.
#When can I publish my finding?
Not until the bug is fixed and the project confirms; exploit and PoC code only after the fix. You may always say you're a CertiK Hunt researcher and share your aggregate earnings ("$X from a CertiK Hunt program") without naming the program or revealing details. See Publication & Disclosure for the full rules.
#Do projects see my real identity?
No. Projects see only your display name — never your real identity, email, or KYC details. Any KYC required for payment is handled between you and the paying project.
#Is a proof of concept always required?
Yes. A working PoC is mandatory on every submission, and it must run on a local fork — never on mainnet or a public testnet. The exact PoC bar depends on the asset type; see Writing a Great Report.
#How many reports can I have open at once?
Up to 8 active reports at a time, with a limit of 5 new submissions per 48 hours. Reports that reach acceptance, payment, or a terminal state no longer count against your active limit.
#Do I need an invite to join?
Yes — Hunt is invite-only. You can redeem an invite if you have one, or request access through the application. Once accepted, you can submit to every public program on the platform.