DO NOT CREATE AN ISSUE
Instead, please send an email to [email protected] and provide your github username so we can add you to a new draft security advisory for further discussion.
For security reasons, DO NOT include attachments or provide detail sufficient for exploitation regarding the security issue in this email. Instead, wait for the advisory to be created, and provide any sensitive details in the private GitHub advisory.
If you haven't done so already, please enable two-factor auth in your GitHub account.
DO send the email from an email domain that is less likely to get flagged for spam by gmail.
Expect a response as fast as possible, typically within 72 hours.
If you do not receive a response within that time frame, please do followup with the team directly. You can do this through discord by pinging the admins and referencing the fact that you submitted a security bounty.
As above, please DO NOT include attachments or provide detail regarding the security issue in this email.
We offer bounties for critical security issues.
The Nosana Foundation pays NOS tokens to people reporting a valid bug.
We pay a bug bounty at our discretion after verifying the bug, up to 10% of value at risk, limited by a maximum of $100.000 in NOS tokens (locked 12 months).
This bounty is only paid out if details about the security issues have not been provided to third parties before a fix has been introduced and verified.
Furthermore, the reporter is in no way allowed to exploit the issue without our explicit consent.
Either a demonstration or a valid bug report is all that's necessary to submit a bug bounty.
A patch to fix the issue isn't required.