
Quick summary
Immunefi runs crypto bug bounties and audit competitions to uncover critical fund-stealing vulnerabilities
War rooms are triggered by serious alerts, assigning operator, analyst, and comms roles immediately
Bugs are unintended logic issues, while vulnerabilities enable harmful misuse, even if intentionally designed
Most hackers are gray hats, requiring diplomatic negotiation that values recognition as well as money
Mitchell Amador, founder of Immunefi, sat down with Coinjuice to explain how crypto bug bounties actually work, the difference between a bug and a vulnerability, and what happens inside a "war room" when a protocol discovers it may have been hacked.
Immunefi runs bug bounties and audit competitions across most major on-chain platforms, and Amador has personally led war rooms, including one case that stretched 72 hours. The conversation covers what the system is built to catch, how a team responds in the first minutes of an incident, and why the fix is often the easy part.
What Is a Crypto Bug Bounty
A crypto bug bounty is a program that pays independent security researchers to find and report vulnerabilities before they can be exploited. Amador describes the approach behind Immunefi directly.
"We do that via a combination of methods but primarily by leveraging the global security community to protect them. For them we create bug bounties, we create audit competitions, we create something called PR reviews that can take the world's best security researchers, the best white hat hackers and have them hunt and find vulnerabilities before they can be found by the bad guys."
The scale of the problem is part of why the model exists. Immunefi's own data shows that "94 percent of bug bounty programs active five years or longer have found at least one critical vulnerability," and Amador puts the odds of any one customer surfacing a critical vulnerability in a given year at "around 40 to 45 percent."
A critical vulnerability, in Amador's framing, is not a minor bug. "A critical vulnerability is going to be a vulnerability that could lead to theft of funds of significant or material amounts, so think hundreds of thousands millions tens of hundreds of millions of dollars."
What Triggers a War Room
When a bug bounty surfaces something serious, or when an attack is already underway, the response is what Immunefi internally calls a war room. It starts with an alert from a designated device.
"You get an alert on probably the world's most annoying application pager duty... and your phone starts blasting and blasting it's like volume max and the ugliest noise you've ever heard."
"You don't know if this is a critical vulnerability disclosure that a white hat made but you have to fix it asap you don't know if somebody found something suspicious but they're not sure what it is you don't know if you've been hacked."
"We're just throwing everybody in there to figure out what's going on with this situation."
Attackers tend to pick their moment carefully.
Amador continues to explain how "most of these things are timed because attackers are clever to happen when everybody is sleeping so the ideal you know war room time ends up being like 4 a.m your time."
Roles Get Assigned Before Anything Else Happens
"Most teams struggle at this and they fumble it, people freeze and they get stuck."
Amador's approach starts with division of labor, not technical work.
Operator: "Who's going to be the operator or the operations lead aka the commander."
Analyst: "Who's going to be the analyst is going to figure out the technical considerations about what exactly happened... you have to go to the crime scene and figure out what's going on, how did it work or like a doctor how do we stop the bleeding here."
Comms lead: "You need someone on cons who's going to go and manage between the sentiments."
The comms role is not a formality. Amador is direct about why.
"If you can you can solve whatever this worm is but then if you end up fumbling the communications you can end up destroying all your legitimacy and public market confidence anyways which is the worst right you prevent the hack and then you still are abandoned by all your users because you fumbled the comes."
The team then works in cycles: "you do this over and over and over and over and over again until you can find out exactly what the root cause of the threat is and how you can mitigate it before your users are robbed."
A single incident can stretch for days. "I had a case with the primitive finance war room and that one took about 72 hours. That was my whole weekend because of course it happened on a Friday night."
A Bug and a Vulnerability Are Not the Same Thing
When asked whether a bug bounty program would have caught the Kelp DAO incident, where a forged message slipped through a single verifier, Amador draws a sharp distinction:
"A bug and a vulnerability are not exactly the same thing... a bug is any time when your system logic doesn't work as you intended okay but the bug can be harmless... whereas a vulnerability is a way that your system can be misused to cause harm."
A configuration choice can qualify even when it was made on purpose.
"Even intentionally made design choices right that you architected your system somewhere. Like we believe that gates should be designed so that someone can reach over the top and open it, and even though they designed a gate intentionally like that that's still a vulnerability because someone can compromise the security of the system very trivially."
Negotiating With the People Who Found the Hole
Most of the people Immunefi deals with after a critical finding are not cleanly good or bad actors.
"Most people in this situation are not white hats or black hats, they're gray hats... something like 80 percent of the security hacker community are people with strong moral codes but their moral codes are very idiosyncratic and they're very particular to them."
Money is part of the calculation, but Amador says it is rarely the whole story.
"Adulation, admiration and respect are worth a fortune to most people if it's constructed in the right form... we've made lots of great hackers famous in crypto, all the best white hats almost all of them I should say have been made and made famous by Immunefi."
The tone of the negotiation itself matters as much as the offer.
"It's not a heavy-handed conversation... you need to be diplomatic because these guys have power, they have real power over you and they decide your fate and your destiny."
Why This Stays Hard
Amador does not expect war rooms to disappear, even as detection improves.
"It's impossible to prevent all war rooms because our systems are not deterministic and they're going to have unexpected unpredictable vulnerabilities."
Amador expects two shifts going forward. The first is more hostile conditions: "cyber vigilantism and cyber letters of mark increase leading to a much more hostile internet." The second is less reliance on individual expertise.
Readers who want the underlying framework for trading and wish to make trades at 4am when sleeping can find more in the Coinjuice ebook.
Amador's closing thought on where his own job is headed is the sharpest line of the conversation.
"I think I could encompass most of my war rooming expertise into a great AI prompt and have it do 90 percent of the thing... it couldn't give the moral support or the courage or the good judgment but it could give you know the playbook."
FAQ
What is a crypto bug bounty and why do protocols use it?
A crypto bug bounty is a program that pays independent security researchers to find and report vulnerabilities before they can be exploited. Protocols use it to leverage the global security community—through bug bounties, audit competitions, and PR reviews—to have top researchers and white hat hackers hunt for vulnerabilities before bad actors find them.
What is considered a critical vulnerability in this context?
A critical vulnerability is one that could lead to theft of funds of significant or material amounts, ranging from hundreds of thousands to tens or hundreds of millions of dollars.
What happens in a 'war room' when a serious issue or attack is detected?
A war room is triggered by an alert when a serious vulnerability is disclosed or an attack may be underway. The team first assigns roles—an operator (commander), an analyst to understand and stop the technical issue, and a comms lead to manage sentiment and communications—then works in repeated cycles to identify the root cause and mitigate it before users are robbed, sometimes over many hours or days.
How does a bug differ from a vulnerability?
A bug is any time when system logic does not work as intended and can be harmless, while a vulnerability is a way the system can be misused to cause harm, including through intentionally made design or configuration choices that allow the system to be compromised trivially.
Disclaimer
The information provided in this article is for informational purposes only. It is not intended to be, nor should it be construed as, financial advice. We do not make any warranties regarding the completeness, reliability, or accuracy of this information. All investments involve risk, and past performance does not guarantee future results. We recommend consulting a financial advisor before making any investment decisions.
Written by

Andrew Kamsky
Andrew Kamsky is a Bitcoin analyst. He spent a decade in traditional finance across a Big Four firm and a listed fintech bank before going deep on Bitcoin full-time.









