Nimiq is the world’s first browser-based blockchain and ecosystem. We look forward to working with the community to find security vulnerabilities in order to keep our protocol and official implementations as safe as possible. You can find our developer reference here __.

SLA

Nimiq will make a best effort to meet the following SLAs for hackers participating in our program:

• Time to first response (from report submit) - 1 business day
• Time to triage (from report submit) - 1 business day
• Time to bounty (from triage) - 5 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines __.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• Only interact with the testnet designated in the scope instructions below.

Good Vulnerability Starting Points (IN SCOPE)

We are looking to find security issues affecting our blockchain protocol, its implementations as well as its integration with the Ledger Nano S __hardware wallet. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):

• Bugs in our implementation of the cryptographic primitives
• Remote Code Execution
• Theft (unauthorized movement of funds, access to private keys)
• Inflation (creation of coins by any method different from mining)
• Netsplit (preventing a part of the peer to peer network from communicating with the other part of the network in a way that could be applied generically) _*Denial of Service_ :
  • Create invalid blockchain state
  • Overload the whole network
  • Overload a single client
  • Crash a client
  • Stall a client
  • Disconnect client
  • Create invalid client state

To find these vulnerabilities, you can use both the source code directly, as well as our testnet (the instructions to access both of them are in the "In Scope" section below).

NOTE: When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug*

Since our main interest is in finding security problems affecting our blockchain protocol, its implementations, and its Ledger Nano S hardware wallet integration, the following issues are considered out of scope:

• Any issues that are outside what is defined in the "In Scope" section below
  • as well as as any issue not directly related to the code and it’s functionality. For example, usability, user experience.
  • Security breaches that are only possible when having full access to the client machine. For example using a key tracker or reading/monitoring the computer memory.
• Privacy related vulnerabilities (e.g. leaking your address to other peers on the network).
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Any activity that could lead to the disruption of our service (DoS), outside of the testnet.
• 51% attacks, including those on the testnet.
• Any problem on the servers where the nodes for the private testnet are running that is unrelated to our specific software (i.e. only the official client running on port 8080 is in scope).
• Any issues already reported publicly on GitHub __.

Thank you for helping keep Nimiq and our users safe!