Today NEO has officially launched it’s vulnerability bounty program page. This step is a continuation of their efforts to ensure the security and stability of the NEO mainnet. The press release is available in English and Chinese.
20th September 2018:
Since its first day, NEO has held security as one of its top concerns. During the nearly two years from the MainNet launch, NEO has rewarded many developers who have identified vulnerabilities related to NEO.
The purpose of NEO Vulnerability Bounty Program (NEO VBP) is to be proactive about security by providing a channel for security experts in the community to join NEO eco-development in a motivated way. Anyone who has discovered the potential security problems or loopholes of our underlying infrastructure can send a report to NEO. We will investigate all eligible vulnerability reports and fix the issues as soon as possible. The rewards will be distributed in the equivalent amount of NEO.
It’s also noteworthy that this week (Sept 17-24, 2018) is “China Cybersecurity Week”, launched since 2014 and lasting 5 years. As a domestically incubated open-source blockchain project, NEO announced the Vulnerability Bounty Program with this timing pretty in line with the government policy and the state’s emphasis on network security.
Security experts and teams from different sectors are welcome to join NEO Vulnerability Bounty Program to develop NEO ecosystem.
Vulnerability Bounty Program webpage: NEO Dev Bounty
NEO Vulnerability Bounty Program
The purpose of NEO vulnerability bounty program is to be proactive about blockchain security by providing a channel for security researchers to report potential security vulnerabilities identified related to our underlying infrastructure. Everyone who find the vulnerabilities can send email to NEO. We will try our best to investigate those eligible vulnerabilities and fix the valid issues. All rewards will be paid in the equivalent amount of NEO.
Note: Higher rewards will be paid out in case of vulnerabilities of certain interest and criticality. Before reporting any issues, please check the following disclosures on responsibilities, program rules and reporting manner notice.
Level of vulnerabilities will undergo evaluation by the NEO R&D team based on severity, influence and other dimensions. As we will prioritize report assessment by risks and other factors, it may take time for our response. Time to first response (from report submission) will be 5 business days; time to triage (from report submission) will be 10 business days. NEO will regularly update the feedback on its website and social media channels. Rewards will be distributed within 3 days following official announcement. NEO reserves the right of final interpretation of the event.
To finally achieve the self-worthy reward the submitters should abide by the following event rules:
- Only issues related to stability and security with design and implementation is within the scope, vulnerabilities with NEO website and related infrastructure on the NEO blockchain is out of the scope. Find more details at the Scope of Bug Bounty Program.
- Submitted reports should contain detailed reproduction procedures, in the absence of which, the reports will be excluded from the rewarding list. The more detailed about the proof of vulnerabilities and the descriptions are, the higher your reward will be.
- For those who report the same vulnerability, the reward goes to whom comes first.
- Serial vulnerabilities caused by one vulnerability will be considered as one vulnerability, e.g., a series of computing errors caused by data overflow.
Vulnerabilities fitting in any of the following descriptions will not be eligible for the rewards:
- Those published or known ones are not eligible for rewards.
- If you unveil such vulnerabilities before NEO fixes or publish them, the reward becomes null and void.
- Participants who use submitted vulnerabilities to damage NEO ecosystem, infringe on users’ interest and perform pilferage on users’ assets will be disqualified for rewards; meanwhile, NEO is rightful to resort to justice.
Scope of Vulnerability Bounty Program
Security vulnerabilities of the following projects must be addressed in the report to be eligible for the rewards:
Investigating and reporting vulnerabilities
Please, never attempt to access anyone else’s data and do not engage in any activity that would be disruptive or damaging to NEO production network and testing network, you can investigate with your own built private chain.
If you have found a vulnerability, please submit a report through sending email to NEO.
Please include following in your report:
- Asset – What software asset the vulnerability is related to (e.g. NEO core software/products)
- Severity – Your opinion on the severity of the issue (e.g. high, moderate, low)
- Summary – Add summary of the vulnerability
- Description - Any additional details about this vulnerability
- Steps – Steps to reproduce, getting NEO staff or technical team clearly informed of every detailed step.
- Supporting Material/References - Source code to replicate, list any additional material (e.g. screenshots, logs, etc.)
- Impact – What security impact could an attacker achieve?
- Your name and country.
Bounties are paid out after a risk assessment (OWASP risk rating methodology) has been made by our R&D team. There are four rates of severity, Critical, High, Medium, Low. All rewards will be paid in the equivalent amount of NEO. Roughly speaking, we calculate the severity of an issue with the following formula:
Severity = Impact * Likelihood
Base bounty amounts which related with severity are as follows:
- Critical: Up to $10,000 (NEO) For example: issues lead to severe asset loss
- High: Up to $5,000 (NEO) For example: issues lead to all network fail
- Medium: Up to $2,000 (NEO) For example: Single node failure
- Low: Up to $500 (NEO) For example: Other valid issues
20th September 2018:
NEO 自创世以来，始终将安全问题摆在重要位置。主网上线近两年的时间里，对多个发现 NEO 漏洞的开发者和团队进行了奖励，为了使社区由更大热情参与到 NEO 生态建设，NEO 成立了 NEO Vulnerability Bounty Program(NEO VBP)，这一项目旨在保障 NEO 区块链系统的安全性，给广大的社区安全专家们提供一个通道，如果发现关于我们的区块链底层的潜在安全性问题或者威胁，都可通过发送邮件至 NEO，我们将调查所有合格的漏洞报告，并尽最大努力迅速解决问题。奖励将以美元等值的 NEO 的形式发放。
同时，2018 年 9 月 17 日-24 日是 “中国国家网络安全宣传周”，“安全周” 起源于 2014 年，今年是第五年。作为一个起源于中国的开源区块链项目，NEO 在此期间发布 Vulnerability Bounty Program(NEO VBP) 的成立，积极响应政府政策与对网络安全问题的重视。
欢迎各界安全专家与团队加入 Vulnerability Bounty Program，共同建设 NEO 生态的繁荣发展。
Vulnerability Bounty Program 网址链接：NEO Dev Bounty
Vulnerability Bounty Program 细则
根据评定的 Vulnerability 严重程度等级，Vulnerability 的严重程度、影响度越高，奖励越高。在报告任何安全漏洞之前，请查看本页了解我们的责任披露政策、奖励方式以及编写报告内容的注意事项。
Vulnerability 的等级评估将会由 NEO 内部工程师根据严重程度、影响程度等多个维度进行判定打分。我们会根据风险和其他因素按优先顺序评估报告，因此可能需要一段时间才能回复您。第一个响应时间（从 Vulnerability 提交开始）为 5 个工作日，Vulnerability 评估的时间（从 Vulnerability 提交开始）为 10 个工作日。NEO 将会定期在官网以及社交媒体上发布项目反馈，获得奖励的参与者可在官方宣布结果的 3 天内收到奖金。最终解释权归 NEO 所有。
- 只有影响区块链稳定性或安全性的设计或实施问题才属于该计划的范围，NEO 区块链上的相关设施（网站、文档、第三方客户端、区块链浏览器、开发工具等）不属于奖励范畴，详见下文 [漏洞奖励计划范畴](#漏洞奖励计划范畴)。
- 提交的 Vulnerability 需要有详细的重现步骤，如果报告的问题没有详细的细节，将不予与奖励。对 Vulnerability 搜集的证据和问题的定位越详细，奖励越高。
- 对于由一个 Vulnerability 引起的系列 Vulnerability，均视为同一个 Vulnerability，例如由于数据溢出引起的一系列计算错误。
- 已经公布的或者已知的 Vulnerability 不属于奖励的范畴。
- 提交者在 NEO 修复之前公布 Vulnerability，奖励将视为无效。
- 提交者利用已提交的 Vulnerability 破坏 NEO 生态，侵犯用户的利益，窃取用户资产，将取消奖励的资格；与此同时，NEO 有权对此采取司法手段。
要符合获得奖励的资格，必须报告以下项目中存在的 ** 安全 ** 漏洞：
请不要试图修改任何用户的数据或攻击 NEO 主网和测试网，您可以在自己搭建的私有链上查找漏洞。
- Asset – 与威胁漏洞相关的项目，详见 [漏洞奖励计划范畴](#漏洞奖励计划范畴)。
- Severity – 严重程度，对问题的严重程度预估（高级 / 中等 / 低级）
- Summary – 对问题的总结描述
- Description - 对问题的任何额外描述
- Steps – 可重现步骤，要求 NEO 内部人员或者相关技术人员可清楚每一个步骤细节
- Supporting Material / References - 相关引用和支持材料，可以使复制的源代码，截图，日志信息等等
- Impact – 影响程度，攻击者会造成何种程度的安全影响
- Your name and country – 请注明您的姓名和国家
我们将通过 OWASP 风险评级方法对问题的严重程度进行评级，根据报告问题进行风险评估，分为 Critical, High, Medium, Low 四个等级，奖金将以等值的 NEO 发放，问题的严重程度由下列等式计算：
Severity = Impact * Likelihood
– Critical: Up to $10,000(NEO) 例如：导致用户资产发生损失的问题
– High：Up to $5,000(NEO) 例如：导致全网发生瘫痪的问题
– Medium：Up to $2,000(NEO) 例如：单个 Node 节点故障
– Low：Up to $500(NEO) 其他非 medium, high, critical 的有效问题