Nimiq is the world’s first browser-based blockchain and ecosystem. We look forward to working with the community to find security vulnerabilities in order to keep our protocol and official implementation as safe as possible. You can find our developer reference here (https://nimiq.com/developer-reference/).
Nimiq will make a best effort to meet the following SLAs for hackers participating in our program:
* Time to first response (from report submit) - 1 business day
* Time to triage (from report submit) - 1 business day
* Time to bounty (from triage) - 5 business days
We’ll try to keep you informed about our progress throughout the process.
* Follow HackerOne's disclosure guidelines (https://www.hackerone.com/disclosure-guidelines).
* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
* Social engineering (e.g. phishing, vishing, smishing) is prohibited.
* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
* Only interact with the private testnet designated in the scope instructions below.
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Nimiq.
| Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |
| $13'337 | $3'133.70 | $1'337 | $500 |
Good Vulnerability Starting Points (IN SCOPE)
We are looking to find security issues affecting our blockchain protocol and its implementation prior to the official launch. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):
* Bugs in our implementation of the cryptographic primitives
* Remote Code Execution
* Theft (unauthorized movement of funds, access to private keys)
* Inflation (creation of coins by any method different from mining)
* Netsplit (preventing a part of the peer to peer network from communicating with the other part of the network in a way that could be applied generically)
* Denial of Service:
* Create invalid blockchain state
* Overload the whole network
* Overload a single client
* Crash a client
* Stall a client
* Disconnect client
* Create invalid client state
To find these vulnerabilities, you can use both the source code directly, as well as the private testnet we have setup specifically for this program (the instructions to access both of them are in the "In Scope" section below).
NOTE: When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug*
OUT OF SCOPE Vulnerabilities
Since our main interest is in finding security problems affecting our blockchain protocol and its implementation, the following issues are considered out of scope:
* Any issues on *.nimiq.com domains.
* Any vulnerabilities found on the Luna public testnet (we have setup a private testnet that is actually in scope).
* Privacy related vulnerabilities (e.g. leaking your address to other peers on the network).
* Attacks requiring MITM or physical access to a user's device.
* Previously known vulnerable libraries without a working Proof of Concept.
* Any activity that could lead to the disruption of our service (DoS), outside of the private testnet.
* 51% attacks, including those on the private testnet.
* Any problem on the servers where the nodes for the private testnet are running that is unrelated to our specific software (i.e. only the official client running on port 8080 is in scope).
* Any issues already reported publicly on GitHub (https://github.com/nimiq-network/core/issues).
Thank you for helping keep Nimiq and our users safe!
Hall of Fame