The Neptune Mutual Smart Contract Vulnerability Disclosure Program is hereby established with the purpose of promoting the identification and resolution of vulnerabilities within the smart contracts utilized by Neptune Mutual. As a firm committed to the security of our smart contracts, we recognize that such vulnerabilities may arise and it is our goal to work collaboratively with the community to promptly address any identified issues.
In furtherance of this objective, we have implemented a bug bounty program to incentivize the responsible disclosure of vulnerabilities within our protocol smart contracts. Should you have reason to believe that a vulnerability has been discovered, we urge you to promptly notify us so that appropriate action may be taken.
Incentives are provided for reported vulnerabilities impacting the Neptune Mutual Protocol smart contracts developed in the Solidity programming language:
- GitHub - neptune-mutual-blue/protocol
- protocol/oracle at develop · neptune-mutual-blue/protocol · GitHub
It is important to note that certain services and vulnerabilities are not within the scope of the Neptune Mutual Protocol Smart Contract Vulnerability Disclosure Program. These include, but are not limited to:
- bugs in third party smart contracts or platforms over which we do not have control of
- issues that have already been identified and reported in previous audit reports
- issues that have already been identified and reported to Neptune Mutual by others who participated in this Disclosure Program
- exploits that have resulted in damage and were carried out by the individual reporting the vulnerability
- attacks that require access to leaked keys, private keys, or credentials
- attacks that require access levels
- inaccuracies in data supplied by third party oracles
- basic economic governance attacks
- lack of liquidity
- critiques on best practices
- sybil attacks
- centralization risks
For the avoidance of doubt, Neptune Mutual shall have the discretion to decide on the scope and exclusion of this Disclosure Program. This list of scope and exclusions may be revised or amended from time to time in this webpage Neptune Mutual has no obligation to make any announcement to such amendments.
Any discovered vulnerabilities affecting the Neptune Mutual Protocol smart contracts written in the Solidity programming language must be reported to the designated form provided at the bottom of this page. Such reported vulnerabilities must be kept confidential until Neptune Mutual has been notified, has addressed the issue, and has granted permission for public disclosure. Furthermore, any reported vulnerability must be disclosed to Neptune Mutual within 24 hours of discovery.
To facilitate a thorough assessment of the reported vulnerability, please provide detailed information including:
- all conditions must be met to reproduce the vulnerability
- full steps required to reproduce the vulnerability
- and potential implications of the vulnerability being reported
Any individual who reports a previously unknown vulnerability leading to a change in code or configuration and adheres to the confidentiality requirements will be publicly thanked and acknowledged for their contribution, subject to mutual agreement.
To be eligible for a reward, you must:
- Be at least 18 years of age.
- Not be subject to United States sanctions or reside in a country that is subject to United States embargoes.
- Not publicly disclose vulnerabilities or issues related to the Neptune Mutual Protocol smart contracts.
- Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock of any token on the Neptune Mutual Protocol (but not on any third party platform interacting with Neptune Mutual) and that is within the Scope mentioned in the Program.
- Be the first to disclose the unique vulnerability, in compliance with the requirements outlined in the Program.
- Provide sufficient information to enable the engineers at Neptune Mutual to reproduce and fix the vulnerability.
- Not exploit the vulnerability in any way, including through making it public.
- Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of the Neptune Mutual marketplace service.
- Not exploit the protocol via an issue for which a reward has already been paid under the bounty program.
- Not be a current or former employee, vendor, or contractor of Neptune Mutual or any of its vendors or contractors.
- Not conduct testing on the mainnet or public testnet contracts; all testing should be done on a local blockchain fork.
- Not conduct testing with pricing oracles or third party smart contracts.
- Individuals participating in the vulnerability disclosure program are prohibited from publicly disclosing (sharing or revealing) any unpatched (not yet fixed) vulnerabilities discovered in the Neptune Mutual smart contracts before being granted permission to do so by the company, especially when the vulnerability is under an embargo (a temporary restriction on the public release of information).
- Not engage in threatening, blackmail, extortion, or any other unlawful conduct.
In case of any dispute in relation to the eligibility of reward or in relation to this Program, Neptune Mutual shall have the final determination and interpretation of the terms and rules of this Program.
In accordance with the Common Vulnerability Scoring System (CVSS) Risk Rating, the severity of discovered vulnerabilities will be evaluated and rewarded accordingly.
- Informational: $0
- Low Severity: Up to $500
- Medium Severity: Up to $1000
- High Severity: Up to $5000
- Critical Severity: Up to $50,000
The reward amount will be determined based on the impact of the vulnerability and the level of difficulty in reproducing the vulnerability. Please note that all submissions will be reviewed on a monthly basis, with the exception of high severity bugs which will be given priority. We kindly request that all submissions be made through the designated reporting form to ensure proper tracking and response. Additionally, directly messaging the Neptune Mutual team on Discord or Telegram with bug reports is discouraged as it hinders our ability to efficiently manage submissions.
As a participant in our Smart Contract Vulnerability Disclosure Program, you can expect that we will:
- Honestly and fairly compensate eligible discoveries based on the severity and exploitability of the vulnerability, as determined at our discretion.
- Provide Safe Harbor protections for your vulnerability research that is related to this program, meaning that we will not initiate legal action against individuals who make a good faith effort to comply with our program.
- Collaborate with you to understand and validate your report, including providing a timely initial response based on the severity of the reported issue.
- Take prompt action to remediate discovered vulnerabilities.
- Acknowledge your contribution to enhancing our security if you are the first to report a unique vulnerability and your report results in a code or configuration change.
By submitting your report, you hereby grant to Neptune Mutual all rights, interests, ownerships, property including all intellectual property rights, that is contained in the submitted report, which includes and not limited to any interests that is arising from the content of such report, and that may be necessary for the validation, mitigation, and disclosure of the vulnerability reported. Neptune Mutual has the full power and discretion to share any content in the report to any third parties for the purpose of taking remedial actions to the vulnerability and to prevent future vulnerability. The determination of the eligibility for and the amount of rewards, as well as the manner in which such rewards will be paid, shall be made at the sole discretion of Neptune Mutual.
Individuals who are subject to sanctions or who reside in any sanctioned countries as determined by OFAC of the United States, UK Sanctioned List, UN Security Council and/or sanctioned by any competent jurisdictions ( including but not limited to Cuba, Iran, North Korea, Sudan, and Syria) are ineligible for rewards under this program. It is your responsibility to comply with any applicable tax laws and regulations based on your place of residence and citizenship. Additionally, depending on local regulations, there may be further restrictions on your ability to participate in this program. Please note that this program is experimental and discretionary, and that Neptune Mutual reserves the right to discontinue the program at any time. Furthermore, you must ensure that your testing does not violate any laws or cause harm or disruption to third-party data.