Email security@nolus.io. Do not open a public issue or PR for security matters.
Covers the Nolus blockchain, smart contracts, and webapp. The bounty program focuses on:
- Theft or freezing of principal funds
- Theft or freezing of unclaimed yields
- Disruptions to webapp uptime
- Unauthorized access to restricted pages
- Deletion or tampering with user data
Program details: https://hub.nolus.io/en/articles/9680739-security
- Clear description of the vulnerability and its impact
- Reproducible proof-of-concept — code, transaction hashes, or a recorded video. Theoretical findings without a working reproducer will be closed.
- Affected versions, commits, or deployed addresses
- Your suggested fix if you have one
Legitimate submissions will be acknowledged and triaged within a reasonable timeframe. We reserve the right to close — without response — any report that appears to be spam, fabricated, speculative, LLM-generated without human verification, or otherwise not a good-faith disclosure.
- Social engineering of staff or users
- Physical attacks
- Volumetric denial-of-service against public infrastructure
- Vulnerabilities requiring privileged access you were never granted
- Findings in third-party dependencies without a working exploit against Nolus components
We welcome use of AI tools as part of your research. However:
- Reports generated by LLMs or automated scanners without human verification will be closed without triage. If you used AI, you must confirm in writing that a human has reproduced and understood the finding.
- Reports that are paraphrased CVEs, raw scanner output, or speculative code analysis without a concrete Nolus impact will be closed.
- Submitting AI-generated spam reports may result in your account being blocked from the organization.
Good-faith research that follows this policy will not result in legal action.