English中文change language

Rules

Rewards

Rewards

In addition to severity, Nervos Bounty Program considers a number of other variables in determining rewards, including (but not limited to):

Basic Classification of the Bounty Rewards

1 point currently corresponds to 1 USD (payable in USD, USDC, BTC, ETH or CKB), this may be subject to change. In addition, payments in crypto may not be available in certain jurisdictions.

If you discover a vulnerability, please provide a report of the Vulnerability to Nervos at bounty@nervos.org and include your name, email address, company name (if applicable), a description of the bug, including your estimation of the potential impact to Nervos, and a description of the steps you took to identify the vulnerability.

Bounty Scope

The Nervos Bounty Program covers a broad scope, including but not limited to:

In general, we invite bounty hunters to check those key components of Nervos CKB:

Things that are not eligible for reward include:

Review Process

review process

Terms

Welcome to the Nervous Foundation Bug Bounty Program (the "Nervos Bounty Program"). If you believe you’ve found a bug or security vulnerability in compliance with the rules set forth in our Nervos Bounty Program Guide available at https://bounty.nervos.org, we encourage you to notify Nervos Foundation ("Nervos") in accordance with the guidelines below.

Acceptance of Terms

By participating in the Nervos Bounty Program, you acknowledge and agree that your participation is subject at all times to the terms set forth in these Nervos Bug Bounty Program Terms and Conditions (the "Terms").

The Nervos Bounty Program, these Terms, and any aspect thereof are subject to change or cancellation by Nervos at any time, with or without advance notice to you. Nervos may amend or update these Terms at any time by posting a revised version here or through other communications. By continuing to participate in the Nervos Bounty Program after such changes, you are indicating that you accept the new modified Terms.

Eligibility

You may only participate in the Nervos Bounty Program and make a submission of a security vulnerability report (a "Submission") if you are:

  • Over 18 years old;

  • Not a resident of, or currently residing in, a country or region against which the United States has imposed a general trade embargo (as of the date that these terms and conditions were last updated, such countries and regions are Iran, Cuba, the Crimea region of Ukraine, North Korea, and Syria); and

  • Not employed in any way by Nervos or any of its affiliates and an immediate family member of anyone thereof.

Scope and Rules

The Nervos Bounty Program applies to security vulnerabilities ("Vulnerabilities") within the Bounty Scope as set forth in the Nervos Bounty Program Guide. In addition, the Vulnerabilities must be found in code under the “Nervosnetwork” Github page, and not in the code of a third party.

You agree that your submissions to Nervos of Vulnerabilities you find comply with the Rules as set forth in the Nervos Bounty Program Guide.

Your Responsibility

You agree not to do any of the following in connection with your participation in the Nervos Bounty Program or otherwise:

  • Execute or attempt to execute any denial of service;

  • Interact with any third parties (which includes modifying or accessing data from such third party) if such third party has not consented to such action;

  • Spam or use any automated vulnerability tools that may generate large traffic volume;

  • Exploit any of the Vulnerabilities you discover in any way for any reason, including exploitation of any data uncovered by way of such Vulnerability;

  • Engage in social engineering (including “phishing”) of Nervos staff or contractors;

  • Intentionally violate any other applicable laws or regulations, including those prohibiting unauthorized access to data;

  • Physically attempt to gain access to Nervos property; and

  • Disclose any personal, financial, or location information publicly.

You agree to do all of the following in connection with your participation in the Nervos Bounty Program:

  • Inform us as soon as possible upon discovery of any Vulnerability through the submission process below;

  • Treat all information you receive, collect, or discover about Nervos, its affiliates, customers, users, or agents in connection with the Nervos Bounty Program (including all bugs and vulnerabilities) as confidential and not share any such information except with Nervos for the purposes of the Nervos Bounty Program; and

  • Make a good faith effort to avoid privacy violations and disruptions to others, including but not limited to unauthorized access to or destruction of data, theft, and interruption or degradation of our services.

Nervos reserves the right, in its sole discretion, to exclude certain categories of bugs or vulnerabilities from any reward in the Nervos Bounty Program.

Submission Process

If you discover a vulnerability, please provide a report of the Vulnerability to Nervos at bounty@nervos.org and include your name, email address, company name (if applicable), a description of the bug, including your estimation of the potential impact to Nervos, and a description of the steps you took to identify the vulnerability.

  • Properly submitted and documented in accordance with the submission process above and the Nervos Bounty Program Guide;

  • The first such Submission for the given Vulnerability.

Submissions will be reviewed by our security team. We aim to provide a response within a few days after receiving a Submission, but responses may be delayed based on the availability of the security reviewer and whether there are other more severe Vulnerabilities that our security team is currently addressing. If Nervos, in its sole discretion, determines that your Submission meets the criteria described above and that the Submission is the first for the given Vulnerability, Nervos will remit to you a reward, which depends on a number of factors, including but not limited to the type and severity of the Vulnerability, and as set forth in further detail in the Nervos Bounty Program Guide.

Rewards

To be eligible to receive a reward, you must provide Nervos with accurate, complete and up-to-date information about you, including your name, email address, and any other information that Nervos reasonably requests, to allow Nervos to send a reward to you.

If you are located within the United States, you may not be eligible to receive tokens as rewards. If you are not eligible to receive tokens as rewards, any and all rewards you receive will be paid in USD, USDT, ETH or BTC only. If you are located outside the United States, you have the option to receive rewards in CKB Tokens. Before you receive a reward, you must sign and return to Nervos any additional agreements or forms as may be required and provided by Nervos, including without limitation, the Notice of Future Token Interest Award if your reward will be paid in CKB tokens. Nervos makes no guarantee of a token’s value in any currencies.

You are responsible for paying all taxes related to the rewards payments, if any.

Ownership

You agree that any Submission will be the sole and exclusive property of Nervos. By submitting a Submission, you hereby irrevocably assign to Nervos and agree to irrevocably assign to Nervos all of your right, title, and interest in and to the Submission, including without limitation all worldwide patent rights, copyright rights, trade secret rights, and other proprietary or intellectual property rights therein.

By submitting a Submission, you represent that neither the Submission nor any use of the Submission by Nervos will infringe, misappropriate, or violate a third party’s intellectual property rights, or rights of publicity of privacy, or result in the violation of any applicable law or regulation, including export control laws.

Independent Parties

You are not an employee, contractor or agent of Nervos, but are an independent third party who wants to participate in the Nervos Bounty Program. Nothing in the Terms is intended to render Nervos and you as joint venturers, partners, or employer and employee. Under no circumstance shall Nervos be considered to be your employer, nor shall you have any right as an employee of Nervos.

FAQ

What’s the time limit of the bounty program?

The bounty program starts on Oct 22 2019 and will end whenever the initial 1M rewards all being paid out.No end date is currently set. See the Nervos blog for the latest news.

How are bounties paid out?
  • Rewards may be paid out in USD, USDT, ETH, BTC or, in certain jurisdictions, CKB. Rewards are typically paid out after the submission has been validated, usually a few weeks later. Local laws require us to ask for proof of your identity. In addition, we will need your Bank account info/USDT/ETH/BTC/CKB address, as applicable.

  • For participants from within the United States, all rewards will be paid in USD, USDT, ETH or BTC only.

  • For participants from outside the United States, participants have the option to receive the rewards in CKB Tokens, subject to certain eligibility requirements described in the Program Terms.

How do I submit a bug for review?

If you discover a vulnerability, please provide a report of the Vulnerability to Nervos at bounty@nervos.org and include your name, email address, company name (if applicable), a description of the bug, including your estimation of the potential impact to Nervos, and a description of the steps you took to identify the vulnerability.

I reported an issue / vulnerability but have not received a response?

We ask that you give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others. We will try to review and respond to submissions as fast as possible. Feel free to email us at bounty@nervos.org if you have not received a response within two weeks following your submission.

Questions about the program or submission process? send an email to bounty@nervos.org and ask us.