Nimbus Bug Bounty Program

Event details

Rewards

Nimbus shall use the CVSS vulnerability scoring system to assess the severity of the bugs that you hunt. The reward fund shall be divided by threat level as specified below:

• Critical Threat level (CVSS 9.0–10.0)
  Total fund of 30,000 NBU for this level to be split between a maximum of 5 winners
• Major Threat level (CVSS 7.0–8.9)
  Total fund of 12,000 NBU for this level to be split between a maximum of 5 winners
• Medium Threat level (CVSS 4.0–6.9)
  Total fund of 5,000 NBU for this level to be split between a maximum of 5 winners
• Low Threat level (CVSS 1.0–3.9)
  Total fund of 3,000 NBU for this level to be split between a maximum of 5 winners

Please note that if there are no winners at some of the levels, the level’s reward fund will not be divided between other levels’ winners. Instead, it will remain unused.

On the other hand, if team receives more than 5 great applications within one level, they may provide an extra prize of up to 5,000 NBU for those who do not get rewards from the core reward fund outlined above.

Scope of the Program

In scope for the Nimbus Bug Bounty program are the majority of the smart contract components that have been published on Nimbus Github to date. It shall effectively include - NBU, NBU Staking, NBU LP Staking, all auxiliary software for GNBU, Staking family GNBU, DAO, and P2P Exchange. They can be found in the following repositories:

1. Nimbus Swap Machine
2. NBU
3. Nimbus Soft Staking
4. Nimbus Hard Staking
5. Auxiliary software for GNBU
6. GNBU Soft Staking Family
7. GNBU Hard Staking Family
8. Nimbus DAO
9. Nimbus P2P Exchange

Areas of Interest

These are some of the bugs and vulnerabilities that team is especially interested in:

• Logic Errors
• Congestion and scalability
• Cryptography issues
• Missing access controls/unprotected or debugging interfaces
• Token manipulation
• Liquidity exploits

Out of Scope

• Attacks that the hunter has identified and exploited, leading to damages
• Attacks requiring access to leaked key and credentials
• Lack of liquidity
• Best practices, opinions and critiques
• Sybil attacks

The following activities shall result in disqualification:

• Phishing or social engineering attacks against the Nimbus users or team
• Testing with malicious or third-party systems or websites such as browser extensions, advertising networks, or SSO providers
• Denial of service attacks
• Automated or bot testing that generates heavy traffic
• Public disclosure of unamended or unpatched vulnerabilities

Terms

• Only those vulnerabilities that are original should be awarded a bounty. Meaning in case of a duplicate report or two users reporting the same bug, the fastest user who submitted the report FIRST shall be awarded.
• Public disclosure of the vulnerability, before the Nimbus team resolves it without explicit consent from the team, will make the bounty hunter ineligible for further participation.

Reporting a Vulnerability

Any vulnerability or bug discovered should be reported only to the Nimbus team at [email protected]. Bounty hunters should not disclose the vulnerability or the bug policy to another party before contacting the Nimbus team. Please ensure that you disclose the bug to the Nimbus team as soon as you discover it since speed matters.

In order to help them grasp the full context of the bug or vulnerability, team woulds appreciate it if you include as much information as possible in your mailers. Some of the topics that you can touch upon are:

• Steps needed to reproduce the bug.
• The potential impact of the vulnerability identified.

Overall, the more detailed is your vulnerability report, the higher your chances of receiving the rewards. So make sure to include as many details as you can.