Bug Bounties
Help us improve Numerai and earn NMR!
We need and want your help to improve Numerai so we will aim to be generous and fair with our bounties where possible. If you feel like you deserve more/less bounty for your contribution just let us know!
The examples listed below are not exhaustive and the bounty amounts listed above are only rough guidelines. The exact amounts depends on the actual bug, feedback or suggestion. Actual bounty payout amounts, if any, will be determined by Numerai at its sole discretion.
If you see anything that is broken, report it! If it turns out to be a real issue and your report helped us fix it then we will give you a bounty!
Bug report | Bounty |
|---|---|
Small website display issues, broken email, broken links | 0.1-1 NMR |
Minor exploits or vulnerabilities that do not risk user funds | 0.1-1 NMR |
Medium data errors, incorrect payouts, cannot submit/stake | 1-5 NMR |
Major exploits, security issues, smart contract vulnerabilities | 1-100 NMR |
Note: You must have a Numerai Tournament account to receive bounty payment. US persons receiving a bounty valued > $600 USD will be required to submit W9 taxpayer information.
Regardless of your tax jurisdiction, you are solely responsible for any tax implications related to any bounty payouts you may receive.
We consider the follow to be of negligible security impact unless the researcher provides concrete explanation and valid proof-of-concept to support claims:
- Missing security headers
- Reports that state that software is out of date/vulnerable without a proof-of-concept
- Highly speculative reports about theoretical damage
- Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
- Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
- SSL/TLS scan reports (this means output from sites such as SSL Labs)
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
- Subdomain takeovers - please demonstrate that you are able to take over the page by leaving a non-offensive message, such as your username
- CSV injection
- Unchained open redirects
- Best practices concerns
- Protocol mismatch
- Rate limiting
- Exposed login panels
- Dangling IPs
- Vulnerabilities that cannot be used to exploit other users or Numerai-- e.g. self-xss or having a user paste JavaScript into the browser console
- Content injection issues
- Missing cookie flags on non-authentication cookies
- Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
- Reports that affect only outdated user agents or app versions -- we only consider exploits in the latest browser versions for Safari, FireFox, Chrome, Edge, IE and the versions of our application that are currently in the app stores
- Issues that require physical access to a victim’s computer/device
- Stack traces
- Path disclosure
- Directory listings
While researching, we'd like to ask you to refrain from:
- Denial of service
- Spamming
- Rate limiting attacks (unless it constitutes a significant risk)
Send email to [email protected] explaining the vulnerability, it's impact, and proof-of-concept to support claims.
If you have any good ideas about how to improve the Numerai propose it to us! If it is a good idea and we end up using it then we will give you a bounty!
Feedback & Suggestions | Bounty |
|---|---|
Small website features | 1 NMR |
Medium data, submissions and staking improvements | 1-5 NMR |
Large tournament rules/payouts, reputation | 10-100 NMR |
If you are going for a large bounty, it would be helpful if you wrote up your idea in a document (pdf or google docs) or a notebook (google colab, github).
Last modified 21d ago