We are thrilled to announce that the Nimbus Bug Bounty program is about to kick-off!
Those of you who find bugs in the Nimbus code before July 1 can receive Rewards from a Total Fund of 50,000 NBU! Find more detail below:
Our highest priority is the security and efficiency of all Nimbus solutions. That’s why we are offering an opportunity to our community members to submit your inputs for scaling the security of the platform.
But of course, we want to show our appreciation towards our bug hunters. So, we offer up to 50,000 NBU in rewards to up to 20 participants who succeed in this program.
Nimbus shall use the CVSS vulnerability scoring system to assess the severity of the bugs that you hunt. The reward fund shall be divided by threat level as specified below:
- Critical Threat level (CVSS 9.0–10.0)
✔Total fund of 30,000 NBU for this level to be split between a maximum of 5 winners
- Major Threat level (CVSS 7.0–8.9)
✔Total fund of 12,000 NBU for this level to be split between a maximum of 5 winners
- Medium Threat level (CVSS 4.0–6.9)
✔Total fund of 5,000 NBU for this level to be split between a maximum of 5 winners
- Low Threat level (CVSS 1.0–3.9)
✔Total fund of 3,000 NBU for this level to be split between a maximum of 5 winners
Please note that if there are no winners at some of the levels, the level’s reward fund will not be divided between other levels’ winners. Instead, it will remain unused.
On the other hand, if we receive more than 5 great applications within one level, we may provide an extra prize of up to 5,000 NBU for those who do not get rewards from the core reward fund outlined above.
The Bug Bounty shall begin on the 1st of April 2021 and is scheduled to end on the 1st of July 2021.
Winners shall be picked by July 12 and the rewards shall be airdropped in the winners’ wallets in the following days.
Scope of the Program
In scope for the Nimbus Bug Bounty program are the majority of the smart contract components that have been published on Nimbus Github to date. It shall effectively include — NBU, NBU Staking, NBU LP Staking, all auxiliary software for GNBU, Staking family GNBU, DAO, and P2P Exchange. They can be found in the following repositories:
1. Nimbus Swap Machine
5. Auxiliary software for GNBU
6. GNBU Soft Staking Family
9. Nimbus P2P Exchange
Areas of Interest
These are some of the bugs and vulnerabilities that we are especially interested in:
•Congestion and scalability
•Missing access controls/unprotected or debugging interfaces
Out of Scope
•Attacks that the hunter has identified and exploited, leading to damages
•Attacks requiring access to leaked key and credentials
•Lack of liquidity
•Best practices, opinions and critiques
The following activities shall result in disqualification:
•Phishing or social engineering attacks against the Nimbus users or team
•Testing with malicious or third-party systems or websites such as browser extensions, advertising networks, or SSO providers
•Denial of service attacks
•Automated or bot testing that generates heavy traffic
•Public disclosure of unamended or unpatched vulnerabilities
- Only those vulnerabilities that are original should be awarded a bounty. Meaning in case of a duplicate report or two users reporting the same bug, the fastest user who submitted the report FIRST shall be awarded.
- Public disclosure of the vulnerability, before the Nimbus team resolves it without explicit consent from the team, will make the bounty hunter ineligible for further participation.
Reporting a Vulnerability
Any vulnerability or bug discovered should be reported only to the Nimbus team at email@example.com. Bounty hunters should not disclose the vulnerability or the bug policy to another party before contacting the Nimbus team. Please ensure that you disclose the bug to the Nimbus team as soon as you discover it since speed matters!
In order to help us grasp the full context of the bug or vulnerability, we would appreciate it if you include as much information as possible in your mailers. Some of the topics that you can touch upon are:
- Steps needed to reproduce the bug.
- The potential impact of the vulnerability identified.
Overall, the more detailed is your vulnerability report, the higher your chances of receiving the rewards! So make sure to include as many details as you can.
Good luck to all the participants!
Finally, we would like to wish all our community members the best of luck with this program. We are glad to have you on board, assisting in maintaining the well-being and prosperity of the Nimbus platform and all users.
As usual, if you have any questions regarding the Nimbus bug bounty program, please type your queries in the official Nimbus Telegram Chat.