We value our community and appreciate how everyone’s efforts amplify the power of the network. A project that develops a decentralized architecture should also nurture a distributed and diverse group that meaningfully contributes to the project in myriad ways. We believe that skilled security researchers across the globe are crucial in identifying weaknesses in any technology.

The Neufund Bug Bounty recognizes the contributions of security researchers who invest their time and effort in helping us make the Neufund ecosystem more secure. We are grateful for our community’s efforts and fully support them.

How does it work?

You don’t need to sign up for the program; we invite everyone to contribute and get rewarded. All you have to do is open a ticket here and name it “Security Researchers”, then specify your bug report by providing us with supporting documents for the bug you’ve found.

Our developers will verify and confirm your bug report and, based on the severity level, your reward will be calculated. Once this is done you will be asked to provide us with an invoice for your Bug Bounty service. The invoice must be made out to Fifth Force GmbH, CuvryStr. 4, 10997 Berlin, and include all the requisite information as detailed below, including your name, address, ETH address, and VAT number (if applicable), as well as a short description of service:

You will be rewarded with NEU tokens (Neumark), which is Neufund’s protocol token and represents economic co-ownership of the platform.

  • Token name: Neumark
  • Ticker: NEU
  • Blockchain: Ethereum (ERC20 token)
  • Current Supply: 71,512,538 NEU
  • Max Supply: 1 500 000 000 NEU
  • NEU is currently traded on BitBay, HitBTC, Yobit, IDEX and ForkDelta

Applications within the scope of the program

  1. Our system of smart contracts, which is deployed at the following address: 0xF432cEc23b2A0d6062B969467f65669De81F4653 (https://etherscan.io/address/0xF432cEc23b2A0d6062B969467f65669De81F4653) with the source code available in Etherscan (“ICBM Smart Contracts”)
  2. Our system of smart contracts, which can be found here: (https://github.com/Neufund/platform-contracts )
  3. Our distributed react application, which can be found at https://platform.neufund.org with the source code at https://github.com/Neufund/platform-frontend (“Platform Frontend”)
  4. APIs, which can be found at https://platform.neufund.org/api (“Platform Backend”)
  5. Deployed infrastructure vulnerabilities like SMTP setup.

Vulnerability criteria & rewards

  1. All vulnerabilities are reported against deployed code and smart contracts on the Ethereum mainnet. For bugs found in repos that are not exploitable, please create an issue in the respective repo. For audit bounties, please contact us separately.
  2. Please provide us with a working exploit or detailed procedure that leads to a reproducible exploit, for all bounties which aren’t classified as “Low” by our developers. Theoretical descriptions (e.g. if scenario X happens code A is exploitable) are not enough to receive a higher level bounty.
  3. You can receive bounties within the range below or even above in cases of high severity. The evaluation is done by the Neufund tech team and will reflect the team’s approach to security and exploit classification.