NEO officially launched its vulnerability bounty program today, offering up to $10,000 for to the top rewrd developers who find critical problems in the network. Citing security as one of its top concerns, NEO said that it had rewarded several developers who found problems in the system in the past 2 years of mainnet launch. The new bounty program reiterates the network’s dedication towards proactive security measures and helping developers contribute to NEO.
What Does the Bounty Entail?
NEO informed that anyone who has found a potential vulnerability in the system could send their report to firstname.lastname@example.org. The report will be investigated by the team and fixed as soon as possible. It also mentioned the China Cybersecurity Week (September 17 to 24) which is running in its 5th year now. The new Vulnerability Bounty Program has been launched at the same time than the Cybersecurity Week to highlight NEO’s support for government policy and the state’s policy of network security as it is a China-incubated open-source project.
Individuals and teams can participate in the bounty by visiting this page https://neo.org/dev/bounty.
Program Rules and Rewards
The NEO R&D team will evaluate all vulnerabilities depending on their influence, severity and other dimensions. The team will issue its first response in 5 business days, followed by another 5 days for triage. The feedback will be updated regularly on NEO’s social media and their website. After the official announcement, rewards will take 3 days for distribution.
During the bounty program, vulnerabilities related to the security and stability of design and implementation will be accepted. The bounty hunters must also send detailed reproduction reports to the team. If two or more people report the same vulnerability, the reward will be given to the first submitter. Moreover, it will count serial vulnerabilities as one vulnerability. The scope of the program will extend to neo, neo-vm, neo-compiler, neo-cli, neo-gui, neo-devpack-dotnet, and neo-plugins.
Rewards for the program will depend on the impact of the vulnerability. Critical issues will be paid up to $10,000, and high severity issues will be paid up to $5,000. Medium and Low severity issues will be paid up to $2,000 and $500 respectively. All rewards will be paid in NEO equivalents. It can also increase the rewards if deemed suitable.