Nimbus Bug Bounty Program #2

View the Bug Bounty on Hacken, here

Bug Bounty #2 Program Duration

Issue Severity Classification and Allocated Rewards

  • Low — $50 to $1,000 in USDT
  • Medium — $1,000 to $2,000 in USDT
  • High — $2,000, to $5,000 in USDT
  • Critical — $5,000 to $ 10,000 in USDT

Scope of the Program

Areas in Scope — Prioritized Vulnerabilities

  • Reentrancy
  • Logic Errors
  • Solidity/EVM details not considered
  • Trusting trust/dependency vulnerabilities
  • Oracle failure and manipulation
  • Novel governance attacks
  • Economic or financial attacks
  • Congestion and scalability
  • Consensus failure
  • Cryptography problems
  • Signature malleability
  • Susceptibility to block timestamp manipulation
  • Missing access controls/unprotected internal or debugging interfaces
  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)
  • Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks


  • Phishing or social engineering attacks against the Nimbus users or Nimbus Team
  • Testing with malicious or third-party systems/websites/browser extensions, including advertising networks or SSO providers.
  • Any testing with Mainnet or public testnet contracts; all testing should be done on private testnet(s)
  • Any testing with pricing oracles
  • Any denial-of-service attacks
  • Automated testing or bot testing that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty


  • Only those vulnerabilities that are original should be awarded a bounty. Meaning in case of a duplicate report or two users reporting the same bug, the fastest user who submits the report FIRST shall be awarded.
  • Before the Nimbus team resolves the vulnerability without explicit consent from the team, public disclosure of the vulnerability will make the bounty hunter ineligible for further participation.
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

Responsible Disclosure — How do I report a Bug?

  • Go to the program page here —
  • Sign Up as Hacker
  • Click on the “Submit Report” button
  • Fill the vulnerability title
  • Specify the vulnerability target
  • Specify the vulnerability category
  • Select severity or calculate it by CVSSv3 calculator
  • Add vulnerability details
  • Specify validation steps
  • Attach PoC (video, screenshots, logs) which may help to understand the vulnerability more clearly
  • First Response — 3 Business days
  • Triage Time — 3 Business days
  • Reward Time — 3 Business days
  • Resolution Time — 30 Business days

To our Future Bug Bounty Hunters,



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nimbus Platform

Nimbus Platform


DAO-governed platform that offers 16 earning strategies for users boosted by multiple layers of risk-management.