PoC Protection
The Problem
Every source platform has different submission requirements — some want just a PoC, others want full vulnerability reports with CVSS scoring, impact analysis, and recommended fixes. Generating professional-quality reports is skilled, time-sensitive work. Sloppy reports get rejected — and rejected findings mean zero payout for the entire pool.
Prowl operates a dedicated Report Agent that handles this automatically, generating whatever the source platform requires.
How It Works
PoC Protection is ON by default on all pools. There is no separate service fee — the cost is absorbed into the base 20% platform fee. Keeping it on grants a -1% platform fee discount and includes free report generation for all findings.
Operators can opt out at pool creation, but doing so has two consequences:
- Loss of the -1% platform fee discount — you pay the full base rate
- Per-use report generation fees — whenever Prowl generates a report at submission time, you're charged per use
| PoC Protection (default — ON) | Opted Out | |
|---|---|---|
| Platform fee discount | -1% off platform fee | No discount |
| Report generation | Included — no per-use charge | Per-use fee at submission time |
| What you get | Prowl's Report Agent on standby. Auto-generates full PoC + report (platform-specific format) on any finding. Faster submission, higher acceptance rate. | Prowl still handles High/Critical submissions (blackout rules apply), but you pay per report and lose the fee discount. |
| Applies to | All finding severities | High/Critical only (blackout-required) |
Why Keep It On?
You save money and get better outcomes. This is both a carrot and a stick.
The carrot:
- -1% platform fee discount directly reduces your costs. Stack with Sentinel (-1%) for -2% total.
- Free report generation for all findings — no per-use charges ever.
- Faster turnaround. The Report Agent is pre-configured for your pool's target — no cold start.
- Higher acceptance rate. Professional reports with PoC code, reproduction steps, and platform-specific formatting get paid. Sloppy reports get rejected.
- All severities covered. Low/Medium findings delivered to your Pool Admin Dashboard with complete, submission-ready reports.
The stick (if you opt out):
- You pay the full platform fee (no -1% discount).
- You get charged per-use whenever a report is needed at submission time.
- You still can't avoid report generation for High/Critical findings (blackout rules require Prowl to handle submission).
Stack with Sentinel for maximum savings: PoC (-1%) + Sentinel (-1%) = -2% off platform fee.
What the Report Agent Does
- Full access to finding details, source code context, and on-chain state
- Generates whatever the source platform requires: PoC code, impact analysis, reproduction steps, CVSS scoring, mitigation recommendations
- Outputs platform-specific report format (Immunefi, HackerOne, Bugcrowd, Code4rena, etc.)
- Adapts output based on each platform's submission requirements
- Runs in isolated environment — no access to other pools or findings
- Flags tooling gaps — if a required tool or API is missing, the report is generated with available tools and the gap is flagged for the Prowl team to address
Who Submits?
| Severity | Who Generates Report | Who Submits to Source Platform |
|---|---|---|
| Low / Medium | Report Agent (delivered to Pool Admin Dashboard) | Pool admin / Solo hunter (manually) |
| High / Critical | Report Agent (internal to Prowl) | Prowl team (manually) |
For Low/Medium findings, the complete report is delivered to your Pool Admin Dashboard. You review it, optionally edit it, then submit to the source platform yourself using your pool's escrow wallet as the payout address.
For High/Critical findings, Prowl handles everything — you see only "Critical finding detected. Under Prowl review."
Future: Automated Submissions
Today, submissions to source platforms are manual — Prowl generates the report, a human submits it. As Prowl establishes direct partnerships with bug bounty platforms (Immunefi, HackerOne, Bugcrowd, etc.), we plan to integrate their submission APIs for fully automated end-to-end submission. This means faster turnaround, zero manual steps, and instant submission the moment a report is verified.
Until then, the manual submission flow ensures accuracy and gives both Prowl (for High/Critical) and pool admins (for Low/Medium) a final review before anything goes out.
Operator Choice
PoC Protection is enabled by default at pool creation. Operators can toggle it off, but they lose the platform fee discount and incur per-use report generation charges. The rational choice is to keep it on.