Public Bug Bounty Program — Now Live

Team Nimiq
Published in
2 min readFeb 21, 2018


As we move forward with the Roadmap to Mainnet it is imperative we harden our Blockchain and Payment Protocol. Our dev team has been stress testing the network and searching for any vulnerabilities or bugs. We also invited a security expert (Stefan M.) who is performing an internal audit of our code with fresh eyes.

We want as many eyes as possible on our code so we partnered with HackerOne to conduct a US$200’000 Bug Bounty Program which went public today! If you are a skilled Cryptographer or JS coder and you think you can break our code join our Bug Bounty Program.

To help developers dive into our code we have published the Nimiq Developer Reference. We hope our well designed technical documentation helps you better approach and understand the code of the Nimiq Core. This reference is constantly growing so if you have any contribution please feel free to send it to our public repository.

We also implemented a private Testnet for hackers to play. That way we don’t disturb the rest of the users who are performing tests of their own on the Luna Testnet. You can find instructions on accessing the private Testnet in our Bug Bounty Program.

Good Vulnerability Starting Points

For an idea on our initial scope for the Program, we are looking to find security issues affecting our blockchain protocol and its implementation prior to the official launch. As such, we would like to find vulnerabilities of the following types:

  • Bugs in our implementation of the cryptographic primitives
  • Remote Code Execution
  • Theft (unauthorized movement of funds, access to private keys)
  • Inflation (creation of coins by any method different from mining)
  • Netsplit (preventing a part of the peer to peer network from communicating with the other part of the network in a way that could be applied generically)

Denial of Service:

  • Create invalid blockchain state
  • Overload the whole network
  • Overload a single client
  • Crash a client
  • Stall a client
  • Disconnect client
  • Create invalid client state

We would like to thank you once again for your support and remind you to share this invitation with anyone qualified to take on the challenge. Let the hacking begin!

DISCLAIMER: None of the statements must be viewed as an endorsement or recommendation for Nimiq, any cryptocurrency, or investment product. Neither the information, nor any opinion contained herein constitutes a solicitation or offer by the creators or participants to buy or sell any securities or other financial instruments or provide any investment advice or service.