What are the guidelines for participating in Nym's vulnerability disclosure program?

Participants must avoid downloading, modifying, or destroying user data; refrain from causing denial of service; test only with their own accounts or instances; and adhere to other specified guidelines.

How can I report a vulnerability to Nym?

Vulnerabilities should be reported via email to bugs@nym.com, preferably encrypted with Nym's PGP key. Reports should be kept confidential and include detailed technical descriptions with proof-of-concept code or screenshots.

What types of vulnerabilities are eligible for reporting?

Eligible issues include CSRF, XSS, code executions, SQL injection, SSRF, privilege escalations, authentication bypasses, and data leaks. Ineligible issues encompass rate limiting, stack traces, self-XSS, MiTM attacks, DoS attacks, cache poisoning, clickjacking, missing DNS records, brute force attacks, vulnerabilities in third-party services or outdated software, and issues in support services.

How does Nym evaluate reported vulnerabilities?

Nym acknowledges reports within approximately 72 hours, attempts to reproduce and validate the issue, assesses severity based on CVSS scores, and determines rewards accordingly. Severity levels range from Critical (CVSS 9.0-10.0) to Informational (CVSS 0).

What rewards does Nym offer for reported vulnerabilities?

Rewards are provided in NYM tokens based on the severity of the vulnerability: Critical issues may receive up to $10,000 worth of NYM tokens, High up to $1,000, Medium up to $200, Low up to $50, and Informational may receive acknowledgment or a nominal reward.

What is Nym's Safe Harbor policy for security researchers?

Nym commits not to pursue legal action against researchers who act in good faith, follow the vulnerability disclosure policy, and avoid unnecessary harm or data access. This policy cannot bind third parties, and researchers are encouraged to contact Nym if in doubt.

How do I submit a vulnerability report?

Email your findings to support@nym.com, ideally encrypting with our [PGP key](https://github.com/nymtech/nym/security/policy), and include clear, reproducible steps, plus any proof-of-concept code or screenshots.

Vulnerability disclosure policy and bug bounty program

Nym takes a multifaceted approach to external security, using continuous testing, vulnerability disclosure, a bug bounty program, and regular audits and penetration tests from external firms and our internal Security team.

1. Guidelines

To participate, you must follow these guidelines:

Do not download, modify, or destroy other users’ data.
Do not cause denial of service (DoS) through exploits, traffic, or provider issues.
Test only with your own account in production, or run your own instance of our open source code.
Social engineering, DDoS, physical access, and similar attacks are out of scope.
Only the first report of a unique issue is eligible for a payout.
Nym decides payouts, severity, classification, and eligibility.
Threats, ransom demands, or unprofessional language disqualify you.

2. How to report a vulnerability ?

Email: security@nym.com (encrypt with our PGP key if possible).
Keep reports confidential and include proof-of-concept code or screenshots if you can.
Provide a detailed technical description, including tools and steps to reproduce. Avoid using LLMs as they tend to be vague.
Attach images or documents with clear names; scripts or exploit code must be in non-executable formats.
We accept common file types and archives (zip, 7zip, gzip).
You may remain anonymous or provide contact info. We may request clarification.
By submitting, you affirm no IP rights violations and grant Nym the right to use your report internally for security purposes.

3. Vulnerability scope

Any significant vulnerability with enough detail and a proof-of-concept may be eligible. Once confirmed, we’ll work to fix it, and you agree to assist in testing fixes if needed.

Eligible issues (examples)

Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Code executions
SQL injection
Server-Side Request Forgery (SSRF)
Privilege escalations
Authentication bypasses
Data leaks

Ineligible issues (examples)

Rate limiting
Stack traces
Self-XSS
Man in the Middle (MiTM) attacks
Denial of Service (DoS) attacks
Cache poisoning
Clickjacking
Missing DNS records
Brute force attacks
Vulnerabilities in third-party services or third-party platforms
Vulnerabilities in past versions of the software
Vulnerabilities affecting outdated browsers or operating systems
Vulnerabilities found in support services (e.g., Zendesk)

4. How do we evaluate vulnerabilities?

1. Initial review

We acknowledge reports within ~72 hours. We then attempt to reproduce and validate the issue. Reports that are non-reproducible, out of scope, duplicates, or already covered in past Nym audits may be closed without reward.

2. Severity assessment

Critical (CVSS 9.0-10.0): Direct user privacy compromise, VPN encryption bypass, or account takeover.
High (CVSS 7.0-8.9): Broad security flaws affecting many users, including data leaks.
Medium (CVSS 4.0-6.9): Conditional exploits that may still expose user information.
Low (CVSS 0.1-3.9): Minor, hard-to-exploit issues.
Informational (CVSS 0): Helpful findings, not true vulnerabilities.

3. Rewards and payouts

Rewards in NYM tokens are based on severity. Include your NYM address when submitting a report. You are responsible for taxes. Submissions from countries on prohibited lists (e.g. US sanctions) are ineligible.

Indicative rewards structure:

Critical: 10,000 USD worth of NYM tokens
High: 1,000 USD worth of NYM tokens
Medium: 200 USD worth of NYM tokens
Low: 50 USD worth of NYM tokens
Informational: May receive acknowledgment or a nominal reward.

4. Handling disputes

If you disagree with severity or a rejection, request clarification. We can reevaluate with new info. After reevaluation, the security team’s decision is final.

5. Public disclosure

We encourage coordinated disclosure after a fix is in place.

Do not publicly share details for 60 days after our acknowledgment, unless you coordinate with us.

We may inform affected vendors but will not share your identity without permission.

5. Safe Harbor Policy

We won’t pursue legal action against researchers who act in good faith, follow this policy, and avoid unnecessary harm or data access.

Scope of Policy

We cannot bind third parties. If in doubt, contact us first.

We may share non-identifying details of your report with affected third parties who commit not to take legal action against you. Identifying info is only shared with your permission.

Possible exemptions

Good faith research that may violate certain terms can be exempt under safe harbor conditions.

Nym’s legal commitments

Nym will not file civil or criminal actions against compliant researchers. Non-compliance may lead to exclusion or, in severe cases, legal action.

Questions?

Email security@nym.com with questions. If unsure about specific methods, ask before testing. Suggestions for improving this policy are welcome.

Frequently asked questions

Email your findings to support@nym.com, ideally encrypting with our PGP key, and include clear, reproducible steps, plus any proof-of-concept code or screenshots.

You will receive a confirmation email once your report is submitted.

Common vulnerabilities like XSS, CSRF, code execution, SQL injection, SSRF, authentication bypasses, and data leaks may qualify, as long as they meet our criteria.

We aim to acknowledge receipt within about 72 hours. After that, we’ll attempt to reproduce and validate the issue before determining if it qualifies for a reward.

Rewards are based on severity and impact, often using a CVSS-based classification. Payouts are made in NYM tokens, and you’ll need to include a valid NYM address in your report.

We encourage coordinated disclosure after we’ve implemented a fix. Please refrain from publicly sharing details for at least 60 days after acknowledgment, unless we agree on an earlier disclosure date.