Nimbus's highest priority is the security and efficiency of all solutions. That’s why team is offering an opportunity to their community members to submit your inputs for scaling the security of the platform.
Nimbus shall use the CVSS vulnerability scoring system to assess the severity of the bugs that you hunt. The reward fund shall be divided by threat level as specified below:
Please note that if there are no winners at some of the levels, the level’s reward fund will not be divided between other levels’ winners. Instead, it will remain unused.
On the other hand, if team receives more than 5 great applications within one level, they may provide an extra prize of up to 5,000 NBU for those who do not get rewards from the core reward fund outlined above.
In scope for the Nimbus Bug Bounty program are the majority of the smart contract components that have been published on Nimbus Github to date. It shall effectively include - NBU, NBU Staking, NBU LP Staking, all auxiliary software for GNBU, Staking family GNBU, DAO, and P2P Exchange. They can be found in the following repositories:
These are some of the bugs and vulnerabilities that team is especially interested in:
Any vulnerability or bug discovered should be reported only to the Nimbus team at firstname.lastname@example.org. Bounty hunters should not disclose the vulnerability or the bug policy to another party before contacting the Nimbus team. Please ensure that you disclose the bug to the Nimbus team as soon as you discover it since speed matters.
In order to help them grasp the full context of the bug or vulnerability, team woulds appreciate it if you include as much information as possible in your mailers. Some of the topics that you can touch upon are:
Overall, the more detailed is your vulnerability report, the higher your chances of receiving the rewards. So make sure to include as many details as you can.