21 September 2018

Understanding The Recently Launched NEO Vulnerability Bounty Program

If there is one thing that NEO takes very seriously, it is the overall integrity and security of all its projects. For example, since the launch of the NEO MainNet there has been a number of security concerns which have been nipped in the bud by the R&D team of NEO with the help of valuable feedback from community developers who identified the possible vulnerabilities in the NEO MainNet.

The need to always be on top of any vulnerability issue in its projects by quickly identifying such vulnerabilities and rectifying them in the fastest possible time, has led NEO to officially launch the NEO Vulnerability Bounty Program. With this program in place, NEO has taken a giant step in ensuring that the integrity and security of all its projects are enhanced in a focused and proactive way.

The NEO Vulnerability Bounty Program will provide a platform where members of the NEO community with requisite skills and expertise in software security are incentivised to help in the development of the NEO ecosystem.

NEO will give out enticing rewards in NEO to security experts within the community that are able to uncover any vulnerabilities in the NEO infrastructure. Such experts are therefore encouraged to prepare a detailed vulnerability report and sent this report to the following email address: erik@neo.org

According to NEO, every report sent to the aforementioned email address will be analysed and investigated. Vulnerabilities identified will then be fixed by NEO’s R&D team in the quickest possible time period and deserving rewards in NEO will be delivered to the security experts that provided the vulnerability report.

Rules Of The NEO Vulnerability Bounty Program

  • Security experts are expected to provide a vulnerability report with regards to the integrity and security of specific NEO projects (read on to see the scope of the program).
  • All vulnerability reports sent through erik@neo.org are expected to include a detailed proof of vulnerability with clearly stated procedures for the reproduction of such vulnerabilities. Where this is not provided, the security expert that submitted the report will not be entitled to any NEO reward and NEO will remove the vulnerability report from their reward list.
  • The amount of NEO rewarded and distributed to security experts by virtue of their contributions will be directly dependent on their level of vulnerability clarity and detail.
  • NEO will reward security experts on a first come, first served basis. So any expert that is the first to submit a vulnerability report on a particular issue, will be rewarded ahead of other experts submitting a similar report at a subsequent date. Furthermore, NEO will consider “serial vulnerabilities” such as computing errors arising from an overflow of data as just a single form of vulnerability.   
  • Security experts will not be entitled to receive rewards if:
  1. They submit vulnerability reports of already known and published issues.
  2. Where a security expert makes their discovered vulnerability issue public before NEO is able to rectify the problem.

The Scope Of The NEO Vulnerability Bounty Program

In order to qualify for a reward under the NEO Vulnerability Bounty Program, security experts have to focus their attention on finding integrity and security vulnerabilities in the following underlisted NEO projects:

  1. neo
  2. neo-vm
  3. neo-compiler
  4. neo-cli
  5. neo-gui
  6. neo-devpack-dotnet
  7. neo-plugins

(Scope of NEO Vulnerability Bounty Program courtesy of Medium)

Requirements For The Submission Of A Typical Vulnerability Report

Every security expert is expected to submit their vulnerability report along with the following information;

  1. Information on the ASSET that is subject to the vulnerability. For example, neo-plugins.
  2. A rating of the SEVERITY of the vulnerability problem. The rating can be low, moderate or high.
  3. A SUMMARISED vulnerability report.
  4. A detailed DESCRIPTION of the vulnerability issue relating to the asset in question.
  5. Security experts are expected to provided detailed GUIDELINES on how to reproduce the vulnerability issue in order to properly guide NEO’s R&D team.
  6. Any other supporting references or materials should be included in the vulnerability report provided and this may include logs as well as screenshots.
  7. Details of the amount of IMPACT that a vulnerability issue can have on the security and integrity of the NEO project within which it was discovered and if exploited by an attacker.
  8. Security experts submitting their vulnerability report should also include their FULL NAME and COUNTRY of residence.

Reward Details For The NEO Vulnerability Bounty Program

The R&D team of NEO will analyse and evaluate all submitted vulnerability reports that are done in accordance with the rules provided. A risk assessment using the OWASP risk assessment rating method will be implemented by the R&D team. The level of severity of the vulnerability issues submitted, will be ranked in accordance with four basic severity rankings, namely;

  1. Low – Minor vulnerability issues that can affect the proper functioning of the NEO project within which the vulnerability is uncovered.
  2. Medium – Such as a node failure.
  3. High – A vulnerability issue that can cause the failure of the entire network or NEO project.
  4. Critical – A vulnerability issue that is capable of leading to a loss of assets on a massive scale.

As mentioned earlier, the rewards distributed to security experts for their contributions will be in the form of NEO which will be based on the degree of severity of the vulnerability issue they uncover. According to NEO, they have devised a formula for measuring the severity of a vulnerability issue and this formula is stated as:

“Severity = Impact x Likelihood” (Courtesy: Medium)

The NEO rewards to be distributed in accordance with the level of severity of the vulnerability issue discovered and submitted to erik@neo.org in a detailed vulnerability report by a security expert can be seen below;

  • For a Low severity level: As much as $500 USD in NEO will be distributed to contributors.
  • In a situation of a Medium level of severity: Security experts will be rewarded with as much as $2,000 USD in NEO.
  • For a High severity level: An amount as much as $5,000 USD in NEO will be awarded.
  • In a Critical severity level: Security experts can be rewarded with as much as $10,000 USD in NEO for uncovering and submitting a detailed report of the vulnerability issue.

Leave Comment

Your email address will not be published. Required fields are marked *