Nimiq Proof of Stake is Now Live!
Login
New wallet
Buy NIM
Use SuperSimpleSwap, the wallet or exchange partners.

© Nimiq Foundation 2017-2024

Nimiq Proof-of-Stake Bug Bounty Program

Strengthen Nimiq's security, earn rewards.

This is an extension of the Bug Bounty Program for Nimiq Proof-of-Work.

  • Reports resolved: 0
  • Assets in scope: Core PoS Repository (check In-Scope for more)
  • Top bounty: $5'000

What is Nimiq?

Nimiq is a simple, secure, and censorship-resistant payment protocol that is native to the web. As the Nimiq Network transitions from a Proof-of-Work to a Proof-of-Stake consensus algorithm, this bug bounty program aims to ensure the security and integrity of the Nimiq Network.

Service-Level Agreement (SLA)

Nimiq will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit): 1 business day
  • Time to triage (from report submit): 5 business days
  • Time to bounty (from triage): 10 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Please follow HackerOne's disclosure guidelines and submit your work to security@nimiq.com.

Rewards

Target Critical High Medium Low
Core PoS Repository $5'000 $2'000 $500 $200

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Nimiq. All payouts are made in BTC or NIM equivalent at time of payment.

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

In Scope

We are looking to find security issues affecting our blockchain protocol and its implementation. We would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):

  • Bugs in our implementation of the cryptographic primitives
  • Remote Code Execution
  • Theft (unauthorized movement of funds, access to private keys)
  • Inflation (creation of coins by any method different from block production)
  • Netsplit (preventing a part of the peer to peer network from communicating with the other part of the network in a way that could be applied generically)
  • Denial of Service:
    - Create invalid blockchain state
    - Overload the whole network
    - Overload a single client
    - Crash a client
    - Stall a client
    - Disconnect client
    - Create invalid client state

To find these vulnerabilities, you can use both the source code directly, as well as our TestNet.

NOTE: When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

Out of Scope

  1. Any issues already reported publicly on GitHub.
  2. Any activity that could lead to the disruption of any of our services outside of the PoS TestNet.
  3. Any issue specific to the TestNet deployment that is unrelated to our code.
  4. Privacy related vulnerabilities (e.g., leaking your address to other peers on the network).
  5. Previously known vulnerable libraries without a working Proof of Concept.
  6. Sections of the code intended to be used for testing purposes.
  7. Zero-Knowledge keys setup: Since we have fixed seeds for the unit tests/devnet that are obviously insecure, any issues related to the zkp key setup will be considered out of scope for this program.

Mailing List

By subscribing to this list, please be assured that you will not be receiving our regular newsletters or any other promotional content. This mailing list is solely dedicated to providing notifications and updates about our ongoing Bug Bounty Program.

In the coming months, we will be expanding the program and adding new items to the "In Scope" section. Your continued support, participation, and vigilance are critical to the security and success of Nimiq. By staying connected through this mailing list, you'll be the first to know about any additions or changes in our bug bounty activities.

We greatly appreciate your support and cooperation in keeping Nimiq secure.

Input your email to subscribe to the Bug Bounty Program Mailing List

Disclaimer

None of the statements must be viewed as an endorsement or recommendation for Nimiq, any cryptocurrency, or investment product. Neither the information, nor any opinion contained herein constitutes a solicitation or offer by the creators or participants to buy or sell any securities or other financial instruments or provide any investment advice or service. All statements contained in statements made in Nimiq’s web pages, blogs, social media, press releases, or in any place accessible by the public, and oral statements that may be made by Nimiq or project associates that are not statements of historical fact, constitute “forward-looking statements”. These forward-looking statements involve known and unknown risks, uncertainties, and other factors that may cause the actual future results, performance, or achievements to be materially different from any future results, performance, or achievements expected, expressed, or implied by such forward-looking statements. The final decision of implementing any changes to the Nimiq protocol, including its parameters, always remains with the decentralized node operators who agree what version and parameters to deploy and support.