In response to requests for more community initiatives, NEO has launched an official bounty program for security vulnerabilities. The bounty program invites any security experts in the NEO community to join in with development and submit any potential security issues or loopholes, with rewards available based on the severity of the flaw.

The announcement timing coincides with the beginning of China’s CyberSecurity Week, a government program that has run since 2014 and aims to raise public awareness of online threats and to promote internet safety.

NEO Global Development has continually awarded developers who have identified NEO vulnerabilities since the MainNet launch, but it is hoped that launching an official bounty program will help encourage more participants and further bolster NEO’s security.

Any security flaws detected for submission to the NEO Vulnerability Bounty Program (NEO VBP) are to be submitted as a report to erik@neo.org. A full list of rules, included projects and rewards can be found here.

Program Rules

All reported vulnerabilities will be evaluated by the NEO core R&D team, focused on factors such as severity and influence. The following rules must be followed in order to receive a bounty reward:

  1. Flaws must be related to the stability or security of an eligible project’s design or implementation
  2. Submitted reports must contain detailed reproduction procedures. More detailed proofs and descriptions will result in higher rewards
  3. Vulnerability reports are rewarded on a first-come first-served basis
  4. Serial vulnerabilities stemming from one vulnerability are considered as a single vulnerability (e.g. a series of computing errors caused by data overflows)

Submissions matching the following descriptions are not eligible for rewards:

  1. Published or already known vulnerabilities
  2. Any vulnerability that is unveiled before NGD has fixed or published it
  3. Participants that use a submitted vulnerability to damage the ecosystem are disqualified and may face legal action

NGD has also announced timeframes for responses. Initial response to a report will take no more than 5 business days from time of submission. Triage will be settled within 10 business days, and NGD will distribute rewards within 3 days of the official announcement of the vulnerability.

Eligible Projects

Security vulnerability reports must involve at least one of the following projects to be eligible for rewards:

Vulnerability Report Guidelines

Vulnerabilities should be submitted to erik@neo.org, and any testing should be done on a NEO private network in order to avoid disrupting or damaging the NEO MainNet. The following details should be included in the report:

  1. Asset – What software asset the vulnerability is related to (e.g. NEO core software/products)
  2. Severity – The submitter’s opinion on the severity of the issue (Low, Medium, High, Critical)
  3. Summary – A summary of the vulnerability
  4. Description -­ Any additional details about the vulnerability
  5. Steps – Detailed steps to reproduce the vulnerability
  6. Supporting material/references ­- Any source code or additional material such as screenshots or logs
  7. Impact – A description of the impact on NEO assuming the vulnerability is exploited
  8. Name and country of submitter

Rewards

Rewards will be paid in NEO, and are based on a risk assessment performed by NEO R&D using the OWASP risk rating methodology. The bounty rewards are as follows, based on severity:

  • Critical: Up to $10,000 – e.g. issues leading to severe asset loss
  • High: Up to $5,000 – e.g. issues lead to total network failure
  • Medium: Up to $2,000 – e.g. issues causing a single node failure
  • Low: Up to $500 – e.g. any other valid issues

Severity is calculated based on the impact of the flaw, and probability of the vulnerability being used.