Bug Bounty

The NFTX Bounty program rewards users that discover and properly disclose found bugs with predefined bounties. We encourage anyone to help strengthen the protocol by actively searching for bugs in NFTX contracts.

The NFTX bounty program is derived from the Ethereum Bounty Program, an industry standard when it comes to rightfully rewarding bug bounty hunters.

Please send vulnerability submissions to bounty@nftx.org

The NFTX V2 contracts have been through the Code Area bug bounty programme on two occassions. A number of vulnarabilities were flagged that were either fixed or acknowledge which you can review in these two reports

Please check these prior to submitting your bug bounties as anything already identified here is unlikely to qualify for this Bug Bounty programme outlined below.

Rules and Rewards

Please have a look at the bullets below before starting your hunt!

  • Issues that have already been submitted by another user or are already known to the NFTX team are not eligible for bounty rewards (this includes the Code Area report).

  • Public disclosure of a vulnerability makes it ineligible for a bounty.

  • You can start or fork a private chain for bug hunting. Please respect the NFTX main and test networks and refrain from attacking them.

  • All NFTX members paid by the DAO are not eligible for rewards.

  • NFTX websites or organizational infrastructure in general, are NOT part of the bounty program.

  • NFTX bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the NFTX DAO.

The value of rewards paid out will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood :

Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the NFTX DAO.

  • Critical: up to 50 000 USD

  • High: up to 30 000 USD

  • Medium: up to 20 000 USD

  • Low: up to 4 000 USD

  • Note: up to 1000 USD

Bounties may be paid out in USD, ETH or NFTX tokens.

In addition to Severity, other variables are also considered when the NFTX DAO decides the score, including (but not limited to):

  • Quality of description. Higher rewards are paid for clear, well-written submissions.

  • Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.

  • Quality of fix, if included. Higher rewards are paid for submissions with clear descriptions of how to fix the issue.

Important Legal Information

The bug bounty program is an experimental and discretionary rewards program for our active NFTX community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of the NFTX DAO. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.

Bounty Scope

The above mentioned bug bounty rules and rewards are applicable to all smart contracts that are actively being used and/or promoted by NFTX.

When in doubt about whether the bug applies to the bounty program, please contact the DAO by sending an email to bounty@nftx.org.

Last updated