Nimiq Proof-of-Stake Supply Curve Update

Nimiq Bug Bounty Program

Strengthen Nimiq's security, earn rewards.

Quick Access: PolicyRewardsRulesIn ScopeOut of Scope.

  • Reports resolved: 11
  • Assets in scope: 6
  • Top bounty: $13'337

What is Nimiq?

Nimiq is a simple, secure and censorship-resistant payment protocol, native to the web. We look forward to working with the community to find security vulnerabilities in order to keep our protocol and official implementations as safe as possible. You can find our developer reference here.

SLA

Nimiq will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit): 1 business day
  • Time to triage (from report submit): 1 business day
  • Time to bounty (from triage): 5 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Please follow HackerOne's disclosure guidelines and submit your work to security@nimiq.com.

Rewards

Target Critical High Medium Low
Core JS $13'337 $3'133 $1'337 $500
Wallet $3'000 $1'000 $500 $200
Keyguard $3'000 $1'000 $500 $200

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Nimiq. All payouts are made in BTC and NIM equivalent at time of payment.

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Only interact with the testnet designated in the scope instructions below.

Good Vulnerability Starting Points (IN SCOPE)

We are looking to find security issues affecting our blockchain protocol, its implementations as well as its integration with the Ledger Nano S hardware wallet. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):

  • Bugs in our implementation of the cryptographic primitives
  • Remote Code Execution
  • Theft (unauthorized movement of funds, access to private keys)
  • Inflation (creation of coins by any method different from mining)
  • Netsplit (preventing a part of the peer to peer network from communicating with the other part of the network in a way that could be applied generically)
  • Denial of Service:
    - Create invalid blockchain state
    - Overload the whole network
    - Overload a single client
    - Crash a client
    - Stall a client
    - Disconnect client
    - Create invalid client state

To find these vulnerabilities, you can use both the source code directly, as well as our testnet (the instructions to access both of them are in the "In Scope" section below).

NOTE: When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug

Since our main interest is in finding security problems affecting our blockchain protocol, its implementations, and its Ledger Nano S hardware wallet integration, the following issues are considered out of scope:

  • Any issues that are outside what is defined in the "In Scope" section below.
    - As well as as any issue not directly related to the code and it’s functionality. For example, usability, user experience.
    - Security breaches that are only possible when having full access to the client machine. For example using a key tracker or reading/monitoring the computer memory.
  • Privacy related vulnerabilities (e.g. leaking your address to other peers on the network).
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Any activity that could lead to the disruption of our service (DoS), outside of the testnet.
  • 51% attacks, including those on the testnet.
  • Any problem on the servers where the nodes for the private testnet are running that is unrelated to our specific software (i.e. only the official client running on port 8080 is in scope).
  • Any issues already reported publicly on GitHub.

To get you started, you can download the Burp Suite Project Configuration file. To learn more about Nimiq, create your accountjoin the community and find out more on nimiq.com.

Thank you for helping keep Nimiq and our users safe!

In Scope

Domain: https://wallet.nimiq.com/

The Nimiq Wallet is the main place where our users interact with the blockchain and with the funds protected by their keys (usually stored in the Keyguard) which means we expect it to be highly secure. Examples of the kind of exploits we're interested in are: opening a fake Keyguard from the Nimiq Wallet which would allow an attacker to trick the user into entering their keys and stealing them, deleting a user's key without them explicitly wanting to, hijacking the "copy to clipboard" functionality to copy the wrong address or displaying the wrong address when the user is asked to verify the address on the Ledger Nano S.

The source code for the Wallet is available here in case it can help you to find security issues with it, but please keep in mind we're looking for bugs that can be actually exploitable in the current deployment of the keyguard (i.e. in https://wallet.nimiq.com/).

Domain: https://keyguard.nimiq.​com/

The Nimiq Keyguard is designed to be the place where the keys of the users are stored (encrypted) if they are not using a supported hardware wallet and as such it is very important for us to make sure that the Keyguard is very secure. Examples of the kind of exploits we are interested in are: unauthorized key extraction, unauthorized signing of transactions, displaying information when signing a transaction that is different from the actual data in the signed transaction, etc. These exploits need to be due to a problem in the Keyguard itself, so things like social engineering or using malware on an user computer are not considered valid reports.

The source code for the Keyguard is available here in case it can help you to find security issues with it, but please keep in mind we're looking for bugs that can be actually exploitable in the current deployment of the Keyguard (i.e. in https://keyguard.nimiq.com/).

Source Code

The src/ folder on the master branch of this repository has all the source code for our official JavaScript implementation that we look forward to be tested.

There is also a running version of this code in the testnet, you can find the instructions to test against it in the "Blockchain testnet" section below.

Source Code

The Nimiq Ledger App is designed to allow Ledger Nano S users to create a Nimiq Account with the private key safely stored in their hardware wallet.

For this particular asset we're looking to find bugs that would allow an attacker to get an user's private key (or any other secret data that can be used to validly sign transactions) or that would allow an attacker to create a transaction with fields that would be displayed incorrectly on the Ledger's screen in a way that would result in a valid transaction to a different address or with a different amount than what the user expected.

Other less critical bugs could also be valid (for example a bug that can cause the app to "freeze" or "crash").

Only bugs in the Nimiq Ledger App itself are valid, more general bugs that apply to the Ledger Nano S or its Operating System should be sent to Ledger directly.

Source Code

The master branch of this repository has all the source code for our official Rust implementation that we look forward to be tested.

There is also a running version of this code in the testnet, you can find the instructions to test against it in the "Blockchain testnet" section below.

Other: Blockchain Testnet

The regular Nimiq Testnet can be used for the purposes of this program and it consists of our official client implementation running on the following servers:

  • seed1.nimiqtest.net:8080 (JavaScript implementation)
  • seed2.nimiqtest.net:8080 (JavaScript implementation)
  • seed3.nimiqtest.net:8080 (JavaScript implementation)
  • seed4.nimiqtest.net:8080 (Rust implementation)

The easiest way to connect to the Testnet is by downloading the master branch of our official code repository and following the Quickstart Guide to get a web client (step 7), or if you prefer, you can also build a Node.js client afterwards. Very important: Make sure to change the --network= parameter to test before attempting anything.

Of course, you are also encouraged to find security problems by connecting directly to the 8080 port on those servers with any other tools that you consider useful. Please keep in mind that security issues on other services (i.e. not our client on port 8080) running on these servers are out of scope.

Out of Scope

Domain: *.nimiq.com

Domain: https://miner.nimiq.com/

Disclaimer

None of the statements must be viewed as an endorsement or recommendation for Nimiq, any cryptocurrency, or investment product. Neither the information, nor any opinion contained herein constitutes a solicitation or offer by the creators or participants to buy or sell any securities or other financial instruments or provide any investment advice or service. All statements contained in statements made in Nimiq’s web pages, blogs, social media, press releases, or in any place accessible by the public, and oral statements that may be made by Nimiq or project associates that are not statements of historical fact, constitute “forward-looking statements”. These forward-looking statements involve known and unknown risks, uncertainties, and other factors that may cause the actual future results, performance, or achievements to be materially different from any future results, performance, or achievements expected, expressed, or implied by such forward-looking statements.