Nervos, an open source public blockchain ecosystem under development, has now started its bug bounty program to further audit the network prior to its upcoming mainnet launch.
As an incentive for uncovering potential bugs, Nervos will reward any identified and validated security threats with up to $25,000. There is a total of $1M in initial rewards for the bug bounty program. Rewards may be paid out in USD, USDT, ETH, BTC or, in certain jurisdictions, native Nervos token CKB.
Since the launch of the Nervos testnet in May, the Nervos team has “made every effort to eliminate bugs, but there’s always the chance that we may have missed one, potentially posing a significant vulnerability.”
Bounty Range
The Nervos Bounty Program covers a broad range of areas, including but not limited to:
- Protocols such as the consensus model, the economic model, the cell model, the p2p protocols, the PoW algorithms.
- The security and integrity aspects of the protocol implementation.
- Cryptographic primitives.
- Account management flaws that would put end-user accounts at risk.
- General software security vulnerabilities.
Bug Bounty Rules
- The security bug must be original and previously unreported.
- The security bug must be found under the “nervosnetwork” GitHub page, not the code of a third party.
- Hunters must not have written the buggy code or otherwise been involved in contributing the buggy code to the Nervos project.
- Hunters must not be an employee, contractor, or otherwise, have a business relationship with the Nervos Foundation or any of its subsidiaries.
- Hunters can start or fork a private chain for bug hunting.
- Public disclosure of a vulnerability makes it ineligible for a bounty.
- The bounty rewards are subject to standard KYC requirements and vetting in order to be eligible.
Determinations of eligibility, score, and all terms related to an award are at the sole and final discretion of the Nervos Bug Bounty team, full details of the program can be found here.