Login
New wallet
Strengthen Nimiq's security, earn rewards.
Quick Access: Policy, Rewards, Rules, In Scope, Out of Scope.
Nimiq is a simple, secure and censorship-resistant payment protocol, native to the web. We look forward to working with the community to find security vulnerabilities in order to keep our protocol and official implementations as safe as possible. You can find our developer reference here.
Nimiq will make a best effort to meet the following SLAs for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process.
Please follow HackerOne's disclosure guidelines and submit your work to security@nimiq.com.
| Target | Critical | High | Medium | Low | |||||
|---|---|---|---|---|---|---|---|---|---|
| Core JS | $13'337 | $3'133 | $1'337 | $500 | |||||
| Wallet | $3'000 | $1'000 | $500 | $200 | |||||
| Keyguard | $3'000 | $1'000 | $500 | $200 |
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Nimiq. All payouts are made in BTC and NIM equivalent at time of payment.
We are looking to find security issues affecting our blockchain protocol, its implementations as well as its integration with the Ledger Nano S hardware wallet. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):
To find these vulnerabilities, you can use both the source code directly, as well as our testnet (the instructions to access both of them are in the "In Scope" section below).
NOTE: When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug
Since our main interest is in finding security problems affecting our blockchain protocol, its implementations, and its Ledger Nano S hardware wallet integration, the following issues are considered out of scope:
To get you started, you can download the Burp Suite Project Configuration file. To learn more about Nimiq, create your account, join the community and find out more on nimiq.com.
Thank you for helping keep Nimiq and our users safe!
Domain: https://wallet.nimiq.com/
The Nimiq Wallet is the main place where our users interact with the blockchain and with the funds protected by their keys (usually stored in the Keyguard) which means we expect it to be highly secure. Examples of the kind of exploits we're interested in are: opening a fake Keyguard from the Nimiq Wallet which would allow an attacker to trick the user into entering their keys and stealing them, deleting a user's key without them explicitly wanting to, hijacking the "copy to clipboard" functionality to copy the wrong address or displaying the wrong address when the user is asked to verify the address on the Ledger Nano S.
The source code for the Wallet is available here in case it can help you to find security issues with it, but please keep in mind we're looking for bugs that can be actually exploitable in the current deployment of the keyguard (i.e. in https://wallet.nimiq.com/).
Domain: https://keyguard.nimiq.com/
The Nimiq Keyguard is designed to be the place where the keys of the users are stored (encrypted) if they are not using a supported hardware wallet and as such it is very important for us to make sure that the Keyguard is very secure. Examples of the kind of exploits we are interested in are: unauthorized key extraction, unauthorized signing of transactions, displaying information when signing a transaction that is different from the actual data in the signed transaction, etc. These exploits need to be due to a problem in the Keyguard itself, so things like social engineering or using malware on an user computer are not considered valid reports.
The source code for the Keyguard is available here in case it can help you to find security issues with it, but please keep in mind we're looking for bugs that can be actually exploitable in the current deployment of the Keyguard (i.e. in https://keyguard.nimiq.com/).
The src/ folder on the master branch of this repository has all the source code for our official JavaScript implementation that we look forward to be tested.
There is also a running version of this code in the testnet, you can find the instructions to test against it in the "Blockchain testnet" section below.
The Nimiq Ledger App is designed to allow Ledger Nano S users to create a Nimiq Account with the private key safely stored in their hardware wallet.
For this particular asset we're looking to find bugs that would allow an attacker to get an user's private key (or any other secret data that can be used to validly sign transactions) or that would allow an attacker to create a transaction with fields that would be displayed incorrectly on the Ledger's screen in a way that would result in a valid transaction to a different address or with a different amount than what the user expected.
Other less critical bugs could also be valid (for example a bug that can cause the app to "freeze" or "crash").
Only bugs in the Nimiq Ledger App itself are valid, more general bugs that apply to the Ledger Nano S or its Operating System should be sent to Ledger directly.
The master branch of this repository has all the source code for our official Rust implementation that we look forward to be tested.
There is also a running version of this code in the testnet, you can find the instructions to test against it in the "Blockchain testnet" section below.
The regular Nimiq Testnet can be used for the purposes of this program and it consists of our official client implementation running on the following servers:
The easiest way to connect to the Testnet is by downloading the master branch of our official code repository and following the Quickstart Guide to get a web client (step 7), or if you prefer, you can also build a Node.js client afterwards. Very important: Make sure to change the --network= parameter to test before attempting anything.
Of course, you are also encouraged to find security problems by connecting directly to the 8080 port on those servers with any other tools that you consider useful. Please keep in mind that security issues on other services (i.e. not our client on port 8080) running on these servers are out of scope.
None of the statements must be viewed as an endorsement or recommendation for Nimiq, any cryptocurrency, or investment product. Neither the information, nor any opinion contained herein constitutes a solicitation or offer by the creators or participants to buy or sell any securities or other financial instruments or provide any investment advice or service. All statements contained in statements made in Nimiq’s web pages, blogs, social media, press releases, or in any place accessible by the public, and oral statements that may be made by Nimiq or project associates that are not statements of historical fact, constitute “forward-looking statements”. These forward-looking statements involve known and unknown risks, uncertainties, and other factors that may cause the actual future results, performance, or achievements to be materially different from any future results, performance, or achievements expected, expressed, or implied by such forward-looking statements. The final decision of implementing any changes to the Nimiq protocol, including its parameters, always remains with the decentralized node operators who agree what version and parameters to deploy and support.