BLOG September 20, 2018

NEO Vulnerability Bounty Program Page Officially Launched

Since its first day, NEO has held security as one of its top concerns. During the nearly two years from the MainNet launch, NEO has rewarded many developers who have identified vulnerabilities related to NEO.

The purpose of NEO Vulnerability Bounty Program (NEO VBP) is to be proactive about security by providing a channel for security experts in the community to join NEO eco-development in a motivated way. Anyone who has discovered the potential security problems or loopholes of our underlying infrastructure can send a report to erik@neo.org. We will investigate all eligible vulnerability reports and fix the issues as soon as possible. The rewards will be distributed in the equivalent amount of NEO.

It's also noteworthy that this week (Sept 17-24, 2018) is "China Cybersecurity Week", launched since 2014 and lasting 5 years. As a domestically incubated open-source blockchain project, NEO announced the Vulnerability Bounty Program with this timing pretty in line with the government policy and the state's emphasis on network security.

Security experts and teams from different sectors are welcome to join NEO Vulnerability Bounty Program to develop NEO ecosystem.

Vulnerability Bounty Program webpage: https://neo.org/dev/bounty

NEO Vulnerability Bounty Program 

The purpose of NEO vulnerability bounty program is to be proactive about blockchain security by providing a channel for security researchers to report potential security vulnerabilities identified related to our underlying infrastructure. Everyone who find the vulnerabilities can send email to erik@neo.org. We will try our best to investigate those eligible vulnerabilities and fix the valid issues. All rewards will be paid in the equivalent amount of NEO.

Note: Higher rewards will be paid out in case of vulnerabilities of certain interest and criticality. Before reporting any issues, please check the following disclosures on responsibilities, program rules and reporting manner notice.

Program Rules

Level of vulnerabilities will undergo evaluation by the NEO R&D team based on severity, influence and other dimensions. As we will prioritize report assessment by risks and other factors, it may take time for our response. Time to first response (from report submission) will be 5 business days; time to triage (from report submission) will be 10 business days. NEO will regularly update the feedback on its website and social media channels. Rewards will be distributed within 3 days following official announcement. NEO reserves the right of final interpretation of the event.

To finally achieve the self-worthy reward the submitters should abide by the following event rules:

  1. Only issues related to stability and security with design and implementation is within the scope, vulnerabilities with NEO website and related infrastructure on the NEO blockchain is out of the scope. Find more details at the Scope of Bug Bounty Program.
  2. Submitted reports should contain detailed reproduction procedures, in the absence of which, the reports will be excluded from the rewarding list. The more detailed about the proof of vulnerabilities and the descriptions are, the higher your reward will be.
  3. For those who report the same vulnerability, the reward goes to whom comes first.
  4. Serial vulnerabilities caused by one vulnerability will be considered as one vulnerability, e.g., a series of computing errors caused by data overflow.

Vulnerabilities fitting in any of the following descriptions will not be eligible for the rewards:

  1. Those published or known ones are not eligible for rewards.
  2. If you unveil such vulnerabilities before NEO fixes or publish them, the reward becomes null and void.
  3. Participants who use submitted vulnerabilities to damage NEO ecosystem, infringe on users' interest and perform pilferage on users' assets will be disqualified for rewards; meanwhile, NEO is rightful to resort to justice.
Scope of Vulnerability Bounty Program

Security vulnerabilities of the following projects must be addressed in the report to be eligible for the rewards:

Investigating and reporting vulnerabilities

Please, never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to NEO production network and testing network, you can investigate with your own built private chain.

If you have found a vulnerability, please submit a report through sending email to erik@neo.org.

Please include following in your report:

  1. Asset - What software asset the vulnerability is related to (e.g. NEO core software/products)
  2. Severity - Your opinion on the severity of the issue (e.g. high, moderate, low)
  3. Summary - ­Add summary of the vulnerability
  4. Description -­ Any additional details about this vulnerability
  5. Steps - Steps to reproduce, getting NEO staff or technical team clearly informed of every detailed step.
  6. Supporting Material/References ­- Source code to replicate, list any additional material (e.g. screenshots, logs, etc.)
  7. Impact - What security impact could an attacker achieve?
  8. Your name and country.

Bounties are paid out after a risk assessment (OWASP risk rating methodology) has been made by our R&D team. There are four rates of severity, Critical, High, Medium, Low. All rewards will be paid in the equivalent amount of NEO. Roughly speaking, we calculate the severity of an issue with the following formula:

Severity = Impact * Likelihood

Base bounty amounts which related with severity are as follows:

  • Critical: Up to $10,000 (NEO) For example: issues lead to severe asset loss
  • High: Up to $5,000 (NEO) For example: issues lead to all network fail
  • Medium: Up to $2,000 (NEO) For example: Single node failure
  • Low: Up to $500 (NEO) For example: Other valid issues
Written by:
Neo Global Development