Nimiq Proof-of-Stake Bug Bounty Program

Strengthen Nimiq's security, earn rewards.

This is an extension of the Bug Bounty Program for Nimiq Proof-of-Work.

Reports resolved: 0
Assets in scope: 1
Top bounty: $3'000

What is Nimiq?

Nimiq is a simple, secure and censorship-resistant payment protocol, native to the web. We are now focusing on strengthening our Zero Knowledge Proof Circuit Design and Implementation. We look forward to working with the community to find security vulnerabilities in this specific area to keep our protocol as safe as possible.

Service-Level Agreement (SLA)

Nimiq will make a best effort to meet the following SLAs for hackers participating in our program:

Time to first response (from report submit): 1 business day
Time to triage (from report submit): 1 business day
Time to bounty (from triage): 5 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Please follow HackerOne's disclosure guidelines and submit your work to security@nimiq.com.

Rewards

	Target				Critical	High	Medium	Low
	Zero Knowledge Proof Circuit Design and Implementation				$3'000	$1'000	$500	$200

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Nimiq. All payouts are made in BTC or NIM equivalent at time of payment.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

In Scope

Zero Knowledge Proof Circuit Design and Implementation: Source Code

We are focusing on identifying and resolving vulnerabilities specific to our Zero Knowledge Proof Circuit Design and Implementation. In particular, we are interested in:

Creation of valid proofs for invalid chains: Any security flaws that allow the creation of valid proofs for incorrect or false blockchain states, leading to potential misuse or manipulation of the chain.
Bugs in the circuits: Identifying and rectifying any vulnerabilities, errors, or inconsistencies within the Zero Knowledge Proof circuits themselves, which could compromise the integrity, privacy, or functionality of the system.

Please refer to the source code for insights into potential exploits. Your reports should focus on these areas, and any submissions outside these specific subjects will be considered out of scope.

NOTE: When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

Out of Scope

Zero-Knowledge keys setup: Since we have fixed seeds for the unit tests/devnet that are obviously insecure, any issues related to the zkp key setup will be considered out of scope for this program.
Domain: *.nimiq.com
Domain: https://miner.nimiq.com/
Any issues that are outside what is defined in the "In Scope" section above.
As well as any issue not directly related to the code and its functionality. For example, usability, user experience.
Security breaches that are only possible when having full access to the client machine. For example using a key tracker or reading/monitoring the computer memory.
Privacy related vulnerabilities (e.g., leaking your address to other peers on the network).
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Any activity that could lead to the disruption of our service (DoS), outside of the testnet.
Any problem on the servers where the nodes for the private testnet are running, and that is unrelated to our specific software, is out of scope (i.e., only the official client running on port 8080 is in scope).
Any issues already reported publicly on GitHub.

Mailing List

By subscribing to this list, please be assured that you will not be receiving our regular newsletters or any other promotional content. This mailing list is solely dedicated to providing notifications and updates about our ongoing Bug Bounty Program.

In the coming months, we will be expanding the program and adding new items to the "In Scope" section. Your continued support, participation, and vigilance are critical to the security and success of Nimiq. By staying connected through this mailing list, you'll be the first to know about any additions or changes in our bug bounty activities.

We greatly appreciate your support and cooperation in keeping Nimiq secure.

Input your email to subscribe to the Bug Bounty Program Mailing List

Disclaimer

None of the statements must be viewed as an endorsement or recommendation for Nimiq, any cryptocurrency, or investment product. Neither the information, nor any opinion contained herein constitutes a solicitation or offer by the creators or participants to buy or sell any securities or other financial instruments or provide any investment advice or service. All statements contained in statements made in Nimiq’s web pages, blogs, social media, press releases, or in any place accessible by the public, and oral statements that may be made by Nimiq or project associates that are not statements of historical fact, constitute “forward-looking statements”. These forward-looking statements involve known and unknown risks, uncertainties, and other factors that may cause the actual future results, performance, or achievements to be materially different from any future results, performance, or achievements expected, expressed, or implied by such forward-looking statements.