Neptune Mutual Bug Bounty Program

Scope of the Bounty

All smart contracts deployed on the mainnet are included. Sometimes, source codes might be a commit or two behind the smart contract.

Low Severity
Not optimized consumption of resources, usage of deprecated practices etc.

$0-$100 in NEP tokens to be paid until the 15th day of the next month after the report is accepted

Medium Severity
Logic errors, low impact vulnerabilities (not causing losses)

$100-$500 in NEP tokens to be paid until the 15th day of the next month after the report is accepted

High Severity
Vulnerabilities that might cause losses, critical logic bugs

$500 to $2000 in NEP tokens in 5 business days after the report is accepted and confirmed

Critical Severity
Serious vulnerabilities that might cause serious losses and application shutdown

$2000 to $5000 in NEP tokens in 5 business days after the report is accepted and confirmed

The severity of reported vulnerabilities will be graded according to the CVSS (Common Vulnerability Scoring Standard).

The report should contain the following sections:

You should not test the mainnet smart contract to find vulnerabilitiesBug Introduction: A brief description of the vulnerabilityBug Description: A detailed description of the vulnerabilityPotential cause of the bug.Detailed scenario explaining an attack vector.Potential damage caused by this bug.Recommended fixYour Ethereum address for paymentPlease privately submit your report at security@neptunemutual.com

By participating in the bug bounty, you are agreeing to adhere to the following rules:

Let us know as soon as you discover a security riskPlease provide detailed reports with reproducible steps. Failing this, the issue will not be eligible for a reward.Please be available to cooperate with Neptune Mutual’s engineering team to provide further information on the bug if needed.In case of duplicates, we will only award the first report that was received, provided that it can be fully reproduced.Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.Social engineering (e.g. phishing, vishing, smishing) is prohibited.Bug reports that are known to us cannot be accepted.Your testing must not violate any law or compromise any data that is not yours.Judgments of submissions are at Neptune Mutual’s sole discretion as is the award of payments. It is possible that you may receive a lower reward than you expected or no reward at all.Please respect third party applications and understand that issues that are not specific to Neptune Mutual’s smart contracts are not part of the bounty program. Neptune Mutual reserves the right to forward details of the issue to that party without further discussion with the program participant.We can close the program at any time.