nomina bug bounty program
We want to know about security vulnerabilities that could harm our users or our platform.
If you find something that could lead to loss of funds, system failures, or security breaches, we want to hear from you. The time and energy that goes into all bug reports is deeply appreciated.
systems covered
Any vulnerability that could result in loss of user funds, unauthorized access, or system compromise is in scope.
nomina core
Our cross-chain messaging infrastructure and EVM components
solvernet
Our intent execution network
Submitting a Report
Send your findings to bugbounty@nomina.io. At a minimum, your report should include four aspects.
If multiple people report the same issue, we'll honor the first submission we receive.
1
description
Clear description of the vulnerability
2
reproduction
Step-by-step instructions to reproduce the issue
3
demonstration
Proof of concept demonstrating the bug
4
assessment
Assessment of the potential impact
We will reject reports that involve:
Social engineering, phishing, or physical attacks
Insufficient detail or inability to reproduce
Exploits requiring unrealistic user actions or privileged device access
Non-security bugs like minor UI glitches
Scenarios based on unrealistic market conditions
requirements
To participate, there are several requirements:
1
Proper submission
Submit reports only to bugbounty@nomina.io (no public disclosure platforms)
2
verification
Complete KYC/KYB verification
3
Ability to receive funds
Be able to receive USDC/USDT on Ethereum
4
Confidentiality
Keep vulnerabilities confidential until we've resolved them
5
Reproduction
Provide enough detail for us to reproduce the issue
6
Proper Environment
Test only on testnet environments — never on production/mainnet
bounty payments
We pay rewards based on severity.
1
medium
Security issues with limited impact, performance problems
Up to
$2,000.00
2
high
Major service disruption or execution failures
Up to
$10,000.00
3
critical
Direct risk of loss of user funds or system compromise
Up to
$25,000.00
Payments will be made in USDC or USDT on Ethereum. Final severity classification and payout amounts are at our discretion.
submit your report
We genuinely appreciate the effort security researchers put into making Nomina safer. Thank you for helping protect our users.
By participating you agree that: a) we determine bounty eligibility and amounts in our sole discretion; b) ineligible submissions won't receive payment; c) all submisions become the property of Nomina and we may use your findings to improve security without additional consent; d) you won't publicly disclose vulnerabilities before we authorize it; e) we agree not to pursue legal action in respect of any research conducted in good faith and in compliance with this program
Team members and code contributors cannot claim bounties for their own work.
Team members and code contributors cannot claim bounties for their own work.
