Nimiq looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
In this program we want to find security vulnerabilities of our PoS blockchain. Nimiq PoS is a decentralized, peer-to-peer blockchain for robustness and scalability using a dual-block system:
- Micro blocks: Produced every second for fast transactions.
- Macro blocks: Ensure consensus, finalize sets of blocks and rotating validators using the Tendermint protocol.
It also offers the possibility to run different types of nodes:
- History Nodes: Store the entire blockchain for historical access.
- Full Nodes: Sync selectively, handle transactions, and prune old data.
- Light Nodes: Verify blockchain state with ZKPs, optimized for browsers.
- Validators: Produce blocks and participate in consensus.
- Prover Nodes: Generate Zero-knowledge proofs (ZKPs) for secure and private state validation.
And leverages the power of Zero-knowledge proofs (ZKPs) to enable efficient network participation without compromising security.
For a detailed overview, visit our Developer Center.
Response Targets
Nimiq will make a best effort to meet the following response targets for hackers participating in our program:
| Type of Response | SLA in business days |
|---|
| First Response | 2 days |
| Time to Triage | 2 days |
| Time to Bounty | 14 days |
| Time to Resolution | depends on severity and complexity |
Disclosure Policy
- As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines.
#Scope Leniency
- This program will not accept submissions for assets that are not listed as in scope
Program Rules
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- Ask the program team before submitting vulnerabilities on unscoped subdomains
- Only interact with accounts you own or with the explicit permission of the account holder.
Requesting Testnet funds:
Use the Nimiq Testnet Faucet or request directly via the Testnet Wallet.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Any issues already reported publicly on GitHub.
- Any activity that could lead to the disruption of any of our services outside of the PoS MainNet or PoS TestNet.
- Any issue specific to the TestNet deployment that is unrelated to our code.
- Privacy related vulnerabilities (e.g., leaking your address to other peers on the network).
- Previously known vulnerable libraries without a working Proof of Concept.
- Sections of the code intended to be used for testing purposes.
- Zero-Knowledge keys setup outside of MainNet: Since we have fixed seeds for the unit tests/devnet that are obviously insecure, any issues related to the zkp key setup outside of MainNet will be considered out of scope for this program.
- Testnet wallet.
- DoS vulnerabilities in the RPC server, except for client crashes or deadlocks.
Thank you for helping keep Nimiq and our users safe!
