The Nebulas Bug Bounty aims to improve the security of Nebulas Ecosystem, ensuring the establishment of a benign Nebulas ecosystem. The Nebulas Bug Bounty Program provides bounties for the discovered vulnerabilities. This bounty program is initiated and implemented by the Nebulas Technical Committee (NTC), joined by the Nebulas technical team and community members. NTC encourages the community to disclose security vulnerabilities via the process described below, and to play a role in building Nebulas ecosystem, thereby receiving bounties, and partake in the establishing of Nebulas ecosystem.
The Bug Bounty Program divides the bug bounties into 2 categories: common bug bounty, and special bug bounty. The common bugs include vulnerabilities discovered in Nebulas mainnet, Nebulas testnet, nebPay, Web wallet, neb.js and others, while the special bugs include vulnerabilities found in the inter-contract call function and others.
The Nebulas Technical Committee (NTC) will evaluate reward sizes according to the severity calculated by OWASP Risk Rating Method based on Impact and Likelihood. However, final rewards are determined at the sole discretion of the committee.
- High: Bugs affecting asset security.
- Medium: Bugs affecting system stability.
- Low: Other bugs that do not affect asset security and do not affect system stability.
- High: The bug can be discovered by anyone who performs an operation, regardless of whether or not the bug has been found.
- Medium: Only certain people can discover it (such as a bug that only developers encounter, ordinary users are not affected.)
- Low: Covers less than 1% specific population, such as certain rare Android models; or any other exceptional cases.
To ensure the bug reporter obtains a stable expected reward, the amount in US dollars will be issued in equivalent NAS.
The reward amount is divided into 5 categories:
- Critical: US$1,000 or more (No upper limit)
- High: US$500 or more
- Medium: US$250 or more
- Low: US$100 or more
- Note: US$30 or more
The Nebulas testnet special vulnerability reward (such as one for testnet inter-contract call function) has been increased accordingly, and the equivalent US dollars are issued in NAS.
Report A Bug
Please send your bug report via HERE.
1. Please ensure the accuracy and clarity of the content, because the reward evaluation will be based on the content submitted in this form.
2. If many people discover the same bug, then their report submissions in chronological order will determine their reward. Community users are welcome to discuss the issues of bugs, but the discussion itself is not considered a report, therefore a report form must still be submitted.
- The Nebulas Bug Bounty Program is long-standing. The Nebulas Technical Committee reserves the right to final interpretation of this program, and the rights to adjust or cancel the reward scope, eligibility and amount.
- The Nebulas Technical Committee will confirm and evaluate the bug report after its submission. The evaluation time will depend on the severity of the problem and the difficulty of fixing it. The evaluation result will be sent to its reporter by email as soon as possible.
- To avoid bugs being exploited, reporters are required to submit the bug bounty application to bug report entrance.
- Reporters shall keep the bugs non-public and confidential until 30 days after submitting the bugs to Nebulas, and shall not disclose the bugs to any third party. Such confidentiality timeline can be extended by Nebulas unilaterally. If reporters disclose the bugs to any third party that causes any harm to Nebulas or Nebulas’ users, reporters shall be responsible for the compensation for all the losses.
- The Nebulas Technical Committee encourages community member to discuss with the Nebulas technical team and other community members in the Nebulas public discussion group. We also encourage our community members to join us in fixing these bugs. Please join our Nebulas mailing list for discussion.