Bug Bounty Program
BNHP operates a comprehensive bug bounty program to incentivize security researchers to responsibly disclose vulnerabilities. We believe that working with the security community is essential to building a safe and robust protocol.
Reward Tiers
| Severity | Description | Reward |
|---|---|---|
| Critical | Direct loss of user funds, unauthorized minting, or complete protocol compromise | Up to $1,000,000 |
| High | Significant risk to user funds or protocol integrity | Up to $100,000 |
| Medium | Limited impact on protocol functionality or user experience | Up to $10,000 |
| Low | Minor issues with minimal security impact | Up to $1,000 |
Scope
The following components are in scope for the bug bounty program:
In Scope:
- All BNHP smart contracts deployed on mainnet
- BNHP Chain consensus and bridge contracts
- Oracle network smart contracts
- DEX engine and liquidity contracts
- $NPH token and vesting contracts
Out of Scope:
- Front-end website vulnerabilities (XSS, CSRF, etc.)
- Third-party dependencies (unless the vulnerability is specific to BNHP's use)
- Issues already reported or known
- Theoretical attacks without a proof of concept
Submission Process
To submit a bug report:
- Email security@bnhp.ai with the subject line "Bug Bounty Submission"
- Include a detailed description of the vulnerability
- Provide a proof-of-concept (PoC) demonstrating the issue
- Include the potential impact and affected contracts
- Suggest a fix if possible
Our security team will acknowledge your submission within 24 hours and provide an initial assessment within 72 hours.
Rules
Researchers must not exploit vulnerabilities beyond what is necessary to demonstrate the issue, must not access or modify user data, and must not perform denial-of-service attacks. Rewards are paid in $NPH tokens at the 30-day average price at the time of disclosure.