What are the guidelines for participating in Nym's vulnerability disclosure program?

Participants must avoid downloading, modifying, or destroying user data; refrain from causing denial of service; test only with their own accounts or instances; and adhere to other specified guidelines.

How can I report a vulnerability to Nym?

Vulnerabilities should be reported via email to bugs@nym.com, preferably encrypted with Nym's PGP key. Reports should be kept confidential and include detailed technical descriptions with proof-of-concept code or screenshots.

What types of vulnerabilities are eligible for reporting?

Eligible issues include CSRF, XSS, code executions, SQL injection, SSRF, privilege escalations, authentication bypasses, and data leaks. Ineligible issues encompass rate limiting, stack traces, self-XSS, MiTM attacks, DoS attacks, cache poisoning, clickjacking, missing DNS records, brute force attacks, vulnerabilities in third-party services or outdated software, and issues in support services.

How does Nym evaluate reported vulnerabilities?

Nym acknowledges reports within approximately 72 hours, attempts to reproduce and validate the issue, assesses severity based on CVSS scores, and determines rewards accordingly. Severity levels range from Critical (CVSS 9.0-10.0) to Informational (CVSS 0).

What rewards does Nym offer for reported vulnerabilities?

Rewards are provided in NYM tokens based on the severity of the vulnerability: Critical issues may receive up to $10,000 worth of NYM tokens, High up to $1,000, Medium up to $200, Low up to $50, and Informational may receive acknowledgment or a nominal reward.

What is Nym's Safe Harbor policy for security researchers?

Nym commits not to pursue legal action against researchers who act in good faith, follow the vulnerability disclosure policy, and avoid unnecessary harm or data access. This policy cannot bind third parties, and researchers are encouraged to contact Nym if in doubt.

How do I submit a vulnerability report?

Email your findings to support@nym.com, ideally encrypting with our [PGP key](https://github.com/nymtech/nym/security/policy), and include clear, reproducible steps, plus any proof-of-concept code or screenshots.

Vulnerability disclosure policy and bug bounty program

Содержание

Frequently asked questions

Email your findings to support@nym.com, ideally encrypting with our PGP key, and include clear, reproducible steps, plus any proof-of-concept code or screenshots.

You will receive a confirmation email once your report is submitted.

Common vulnerabilities like XSS, CSRF, code execution, SQL injection, SSRF, authentication bypasses, and data leaks may qualify, as long as they meet our criteria.

We aim to acknowledge receipt within about 72 hours. After that, we’ll attempt to reproduce and validate the issue before determining if it qualifies for a reward.

Rewards are based on severity and impact, often using a CVSS-based classification. Payouts are made in NYM tokens, and you’ll need to include a valid NYM address in your report.

We encourage coordinated disclosure after we’ve implemented a fix. Please refrain from publicly sharing details for at least 60 days after acknowledgment, unless we agree on an earlier disclosure date.