Frequently Asked Questions
Program and Account
Can we make payments using our project tokens?
Yes, you can use your project tokens to make payments. Please make sure to add that to the program description section.
I want to Cancel or remove my program.
Please contact support@r.xyz or your account manager if you want to cancel or remove your program.
Important: After cancellation, all previous report submissions on that program will remain active and should be reviewed based on the program version to which they were initially submitted.
I want to put my program on hold
You can put your program on hold directly from the program page. This will remove it from the security researchers' program list until you reactivate it.
Please contact support@r.xyz or your account manager when pausing or to bringing your program back live on Remedy.
Important: After cancellation, all previous report submissions on that program will remain active and should be reviewed based on the program version to which they were initially submitted.
What happens if our team discovers a bug after launching the bug bounty program?
If your team discovers a bug from other sources after launching the bug bounty program, you should include it in the "known issues" section.
Alternatively, you can report it on your bug bounty program to be able to provide ZK proof of duplicate in case you receive a similar report.
The system doesn't allow me to edit or create programs
If you’re unable to edit or create programs, it’s likely due to the role assigned to your user account. The Triage Manager role, for example, allows you to perform actions on reports but restricts your ability to edit or create programs.
To gain access to these functions, you need to be assigned the Program Manager role, which allows full control over both programs and reports.
If you believe you need this access, please contact your account administrator to request a role change.
Reports and Communication
How does our team know when a valid bug report is submitted?
When a valid report is escalated to your team on the Remedy platform, you will receive an email and a web notification.
The new report will also appear in the "Pending Review" tab on the "Reports" page.
When should our team start reviewing the report?
It is recommended that escalated reports be reviewed within 1-2 days after the Remedy triage is completed. Your team has up to 45 days to finish the report review.
All valid reports pending your attention appear in the “Pending Review” tab on the “Reports” page.
You may also begin your review before the Remedy triage is completed.
When should our team start reviewing the report?
It is recommended that escalated reports be reviewed within 1-2 days after the Remedy triage is completed. Your team has up to 45 days to finish the report review.
All valid reports pending your attention appear in the “Pending Review” tab on the “Reports” page.
You may also begin your review before the Remedy triage is completed.
When should our team start reviewing the report?
It is recommended that escalated reports be reviewed within 1-2 days after the Remedy triage is completed. Your team has up to 45 days to finish the report review.
All valid reports pending your attention appear in the “Pending Review” tab on the “Reports” page.
You may also begin your review before the Remedy triage is completed.
Can I change the severity level of the report?
If you find the report's severity level inappropriate, you can adjust it directly from the thread. If the Remedy triage team disagrees with your assessment, the reported severity may be changed after discussion.
*Please use the RVSS calculator to determine the severity level.
How can I calculate the severity of the report?
Please refer to your program scope or use the RVSS calculator tailored by Remedy to accurately determine the severity level of the report.
Can I edit/delete my message in the report thread?
You can not edit or delete your messages in the report thread. The report thread is intentionally uneditable for all users, primarily for security reasons. This serves as a crucial proof and historical record, ensuring the integrity and transparency of the communication and actions taken within the thread.
Therefore, it's essential to exercise caution and accuracy when posting messages in the report thread, as they cannot be modified or removed once posted.
Payouts and KYC
Do we have to pay a reward if we don't fix the vulnerability?
Yes, even if the reported vulnerability does not result in a code change, a reward is still required if the vulnerability is valid.
*Add such cases to your program’s out-of-scope section to avoid receiving similar reports.
Is payment required for the bug reports that were closed as out of scope, but our project fixed the issue anyway?
No, you are not obligated to pay a reward if a bug report submission is closed as out of scope, even if your project fixed the reported issue.
However, it is highly recommended that the researcher's effort and contribution be acknowledged with a payout.
KYC Verification Flow on Remedy
You can select the “KYC required” option when setting up your program. KYC verification can be handled in one of the following ways:
Integrated KYC Verification: Security researchers on Remedy are welcome to complete a primary KYC verification. Once verified, the system will mark these researchers, so you won’t need to request KYC from them again. Please refer to this guideline for more details.
Self-Managed KYC: If preferred, your company can handle the KYC procedure independently. You will manage the KYC process and ensure compliance, while Remedy can assist as needed.
Last updated