We are happy to announce the #2 edition of our Bug Bounty Program on Hacken Platform. The security of the Nimbus Platform is of the highest priority for the Nimbus team. We hope to involve the larger developer and researcher user base from among our community to help strengthen the Platform’s infrastructure and smart contracts. And, of course, get rewards for it.
View the Bug Bounty on Hacken, here
Bug Bounty #2 Program Duration
The Bug Bounty begins on September 15th, 2021, and is scheduled to end on December 31st, 2021.
However, if enough bug bounty hunters are able to find vulnerabilities and the reward fund of the program is exhausted, the Bug Bounty may conclude earlier than the scheduled date.
Bug Bounty hunters who successfully fulfill the participation criteria and discover a suitable vulnerability will be rewarded immediately once the assessment of their reports concludes.
Issue Severity Classification and Allocated Rewards
The submitted issues need to meet a minimum severity level of “Low,” as described below in order to qualify for a reward. Quality of the report and reproduction instructions will be taken into account. Rewards are denominated in USDT and will be paid out in the equivalent amount of USDT. A successfully reviewed submission will receive a reward based on the classified severity of the underlying vulnerability.
- Low — $50 to $1,000 in USDT
- Medium — $1,000 to $2,000 in USDT
- High — $2,000, to $5,000 in USDT
- Critical — $5,000 to $ 10,000 in USDT
Scope of the Program
The Bug Bounty program is applicable to Nimbus Platform’s smart contract BSC suite, specifically any contracts residing in the following public repo👇 https://github.com/nimbusplatformorg/nim-smartcontract/commit/b56e75e340c7c2bc8b3cfd6386d5ea8ade00d17b
Areas in Scope — Prioritized Vulnerabilities
- Logic Errors
➕ Including user authentication errors
- Solidity/EVM details not considered
➕ Including integer over-/under-flow
➕ Including rounding errors
➕ Including unhandled exceptions
- Trusting trust/dependency vulnerabilities
➕ Including composability vulnerabilities
- Oracle failure and manipulation
- Novel governance attacks
- Economic or financial attacks
➕ Including flash loan attacks
- Congestion and scalability
➕ Including running out of gas
➕ Including block stuffing
➕ Including susceptibility to frontrunning
- Consensus failure
- Cryptography problems
- Signature malleability
➕ Susceptibility to replay attacks
➕ Weak randomness
➕ Weak encryption
- Susceptibility to block timestamp manipulation
- Missing access controls/unprotected internal or debugging interfaces
Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion).
In general, the following vulnerabilities do not correspond to the severity threshold:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
The following activities are prohibited within the Bug Bounty #2 Program and will lead to qualification if not abstained from. While researching, we’d like to ask you to refrain from:
- Phishing or social engineering attacks against the Nimbus users or Nimbus Team
- Testing with malicious or third-party systems/websites/browser extensions, including advertising networks or SSO providers.
- Any testing with Mainnet or public testnet contracts; all testing should be done on private testnet(s)
- Any testing with pricing oracles
- Any denial-of-service attacks
- Automated testing or bot testing that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
- Only those vulnerabilities that are original should be awarded a bounty. Meaning in case of a duplicate report or two users reporting the same bug, the fastest user who submits the report FIRST shall be awarded.
- Before the Nimbus team resolves the vulnerability without explicit consent from the team, public disclosure of the vulnerability will make the bounty hunter ineligible for further participation.
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
Responsible Disclosure — How do I report a Bug?
In case you discover a vulnerability, we would like to know about it immediately so we can take steps to address it as quickly as possible.
If you discover a vulnerability, please do the following:
- Go to the program page here — https://hackenproof.com/nimbus/nimbus
- Sign Up as Hacker
- Click on the “Submit Report” button
- Fill the vulnerability title
- Specify the vulnerability target
- Specify the vulnerability category
- Select severity or calculate it by CVSSv3 calculator
- Add vulnerability details
- Specify validation steps
- Attach PoC (video, screenshots, logs) which may help to understand the vulnerability more clearly
Once we receive your report, we promise the following:
- First Response — 3 Business days
- Triage Time — 3 Business days
- Reward Time — 3 Business days
- Resolution Time — 30 Business days
To our Future Bug Bounty Hunters,
We would like to thank you for your participation, and we are glad to have you on board.
Good luck and happy hunting!