Vulnerability Disclosure Program (VDP)
VDPs are meant for responsibly reporting vulnerabilities you encounter — not for actively hunting for fame or reputation. Even if you're just starting out, consider focusing on rewarded bug bounty programs instead.
immutable
15
In Scope
8
Out of Scope
In-Scope Assets (15)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| *.immutable.com | URL | No | ||
| *.imtbl.com | URL | No | ||
| *.testnet.immutable.com | OTHER | No | - | |
| https://api.immutable.com | URL | No | ||
| https://api.x.immutable.com/ | URL | No | ||
| https://auth.immutable.com | URL | No | ||
| https://docs.immutable.com/ | URL | No | ||
| https://github.com/immutable/ts-immutable-sdk/tree/main/packages/passport/ | OTHER | No | - | |
| https://hub.immutable.com/ | URL | No | ||
| https://link.x.immutable.com/ | URL | No | ||
| https://market.immutable.com/ | URL | No | ||
| https://passport.immutable.com/ | URL | No | ||
| https://play.immutable.com | URL | No | ||
| imx.community | URL | No | ||
| testnet.immutable.com | OTHER | No | - |
Out-of-Scope Assets (8)
| Asset | Category | Bounty | |
|---|---|---|---|
| *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | OTHER | No | |
| *.godsunchained.com | OTHER | No | |
| *.gogbackend.com | OTHER | No | |
| *.guildofguardians.com | OTHER | No | |
| Any data exposure bug that are classified as Public Data such as Ethereum Wallet Address, NFT Purchase activity, or other public blockchain activity. | OTHER | No | |
| Anything that does not belong to Immutable | OTHER | No | |
| godsunchained.com | OTHER | No | |
| gogbackend.com | OTHER | No |