Bounty Program

Nearly all projects are posted on the Nebulas Community Collabration Platform: along with their corresponding bounties, and users are expected to apply in order to claim a project or parts of it. This process applies to the wiki and to the NAT Bug Bounty Program. For now, the Nebulas Bug Bounty Program only requires you to submit a form with the relevant information.

Below you will find in-depth information about all the Bounty Programs so you can get started on contributing to the flourishing Nebulas ecossystem and get rewarded for it!

Bug Bounty

The Nebulas Bug Bounty aims to improve the security of Nebulas Ecosystem, ensuring the establishment of a benign Nebulas ecosystem. The Nebulas Bug Bounty Program provides bounties for the discovered vulnerabilities. This bounty program was initiated and implemented by the Nebulas Technical Committee (NTC), in conjunction with the Nebulas technical team, and community members. NTC encourages the community to disclose security vulnerabilities via the process described below, and play a role in building the Nebulas ecosystem, thereby receiving bounties, and partaking in the evolution of the Nebulas ecosystem.

Bug Category

The Bug Bounty Program divides the bug bounties into 2 categories, common bug bounty and special bug bounty. The common bugs include vulnerabilities discovered in:

  • Nebulas mainnet
  • NAS nano pro
  • nebPay
  • Web wallet
  • neb.js
  • Bug Bounty on Testnet
  • others

While the special bugs include vulnerabilities found in the inter-contract call function, etcetera.


The Nebulas Technical Committee will evaluate reward sizes according to the severity calculated by OWASP Risk Rating Method based on Impact and Likelihood. However, final rewards are determined at the sole discretion of the committee.

Overall Risk SeverityOverall Risk Severity


  • High: Bugs affecting asset security.
  • Medium: Bugs affecting system stability.
  • Low: Other bugs that do not affect asset security and do not affect system stability.


  • High: The bug can be discovered by anyone who performs an operation, regardless of whether or not the bug has been found.
  • Medium: Only certain people can discover it (such as a bug that only developers encounter, ordinary users are not affected.)
  • Low: Covers less than 1% specific population, such as certain rare Android models; or any other exceptional cases.


To ensure the bug reporter obtains a stable expected reward, the amount in US dollars will be issued in equivalent NAS. The reward amount is divided into 5 categories:

  • Critical: US$1,000 or more (No upper limit)
  • High: US$500 or more
  • Medium: US$250 or more
  • Low: US$100 or more
  • Improvement: US$30 or more

Note: The Nebulas testnet special vulnerability reward (such as one for testnet inter-contract call function) has been increased accordingly, and the equivalent US dollars are issued in NAS.

Report A Bug

Please send your bug report via this link.

Things to keep in mind:

  1. Please ensure the accuracy and clarity of the content, because the reward evaluation will be based on the content submitted in this form.
  2. If many people discover the same bug, then their report submissions in chronological order will determine their reward. Community users are welcome to discuss the issues of bugs, but the discussion itself is not considered a report, therefore a report form must still be submitted.

Additional notes:

  1. The Nebulas Bug Bounty Program is long-standing. The Nebulas Technical Committee reserves the right to final interpretation of this program, and the rights to adjust or cancel the reward scope, eligibility, and amount.
  2. The Nebulas Technical Committee will confirm and evaluate the bug report after its submission. The evaluation time will depend on the severity of the problem and the difficulty of its resolution. The result of the evaluation will be sent to its reporter by email as soon as possible.
  3. To avoid the exploitation of bugs, reporters are required to submit the bug bounty application using the proper forms.
  4. Reporters shall keep the bugs non-public and confidential until 30 days after the bug submission to Nebulas, and shall not disclose the bugs to any third party. Such confidentiality time limit can be extended by Nebulas unilaterally. If reporters disclose the bugs to any third party and cause any harm to Nebulas or Nebulas’ users, reporters shall be responsible for the compensation for all the losses and damage.
  5. The Nebulas Technical Committee encourages community members to converse with the Nebulas technical team and other community members in the Nebulas public discussion group. We also encourage our community members to join us in fixing these bugs.