The purpose of NEO vulnerability bounty program is to be proactive about blockchain security by providing a channel for security researchers to report potential security vulnerabilities identified related to our underlying infrastructure. Everyone who find the vulnerabilities can send email to firstname.lastname@example.org. We will try our best to investigate those eligible vulnerabilities and fix the valid issues. All rewards will be paid in the equivalent amount of NEO.
Note: Higher rewards will be paid out in case of vulnerabilities of certain interest and criticality. Before reporting any issues, please check the following disclosures on responsibilities, program rules and reporting manner notice.
Level of vulnerabilities will undergo evaluation by the NEO R&D team based on severity, influence and other dimensions. As we will prioritize report assessment by risks and other factors, it may take time for our response. Time to first response (from report submission) will be 5 business days; time to triage (from report submission) will be 10 business days. NEO will regularly update the feedback on its website and social media channels. Rewards will be distributed within 3 days following official announcement. NEO reserves the right of final interpretation of the event.
To finally achieve the self-worthy reward the submitters should abide by the following event rules:
Vulnerabilities fitting in any of the following descriptions will not be eligible for the rewards:
Security vulnerabilities of the following projects must be addressed in the report to be eligible for the rewards:
Please, never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to NEO production network and testing network, you can investigate with your own built private chain.
Please include following in your report:
Bounties are paid out after a risk assessment (OWASP risk rating methodology) has been made by our R&D team. There are four rates of severity, Critical, High, Medium, Low. All rewards will be paid in the equivalent amount of NEO. Roughly speaking, we calculate the severity of an issue with the following formula:
Severity = Impact * Likelihood
Base bounty amounts which related with severity are as follows:
|Critical||Up to $10,000||Issues lead to severe asset loss|
|High||Up to $5,000||Issues lead to all network fail|
|Medium||Up to $2,000||Single node failure|
|Low||Up to $500||Other valid issues|