Nova Rewards welcomes responsible disclosure of security vulnerabilities that could affect the platform, its smart contracts, backend services, APIs, or supporting infrastructure.
Please report suspected vulnerabilities privately and do not open a public GitHub issue for active security findings.
- Primary contact:
security@novarewards.example - Secondary contact: repository maintainers via private security advisory or direct maintainer outreach
- Preferred language: English
When reporting, include as much detail as possible:
- Affected component or repository path
- Vulnerability type and impact
- Reproduction steps or proof of concept
- Preconditions or required privileges
- Suggested mitigation, if known
We will acknowledge receipt within 72 hours and will keep the reporter informed during triage and remediation.
The following assets are eligible for responsible disclosure review:
- Smart contracts under
contracts/ - Backend APIs and services under
backend/andnovaRewards/backend/ - Frontend application code under
src/,frontend/, andnovaRewards/frontend/ - Infrastructure as code under
infra/,terraform/,infrastructure/,k8s/, andhelm/ - Authentication, authorization, payout, and wallet-related flows
- Misconfiguration that exposes sensitive data or privileged actions
The following are generally out of scope unless chained with a meaningful security impact:
- Best-practice suggestions without a demonstrated exploit path
- Missing HTTP headers on non-sensitive pages without exploitability
- Social engineering, phishing, or physical attacks
- Denial of service requiring unrealistic traffic volume or cost
- Spam, rate-limit bypass attempts without privilege impact
- Vulnerabilities only affecting outdated local development environments
- Issues in third-party services outside Nova Rewards control
- Publicly known vulnerabilities without a project-specific exploit path
| Severity | Example impact | Reward range |
|---|---|---|
| Critical | Theft of funds, contract takeover, admin compromise, remote code execution, auth bypass on privileged actions | $2,500 to $10,000 |
| High | Unauthorized payout manipulation, sensitive data exposure, permanent denial of critical service, major privilege escalation | $750 to $2,500 |
| Medium | User account impact, limited privilege escalation, significant business logic flaw, exploitable misconfiguration | $250 to $750 |
| Low | Minor information disclosure, low-impact misconfiguration, defense-in-depth issue with clear security relevance | $50 to $250 |
Final reward decisions depend on exploitability, impact, report quality, and whether the issue is novel and within scope.
Nova Rewards follows a coordinated disclosure process with a target timeline of up to 90 days:
- Acknowledgement: within 72 hours of receiving a report
- Triage: initial severity and scope assessment within 7 days
- Remediation: fix development and validation based on severity
- Coordinated disclosure: public disclosure after the fix is available, or after 90 days, whichever is agreed with the reporter
If a vulnerability is being actively exploited, we may accelerate remediation and disclosure steps.
If you act in good faith, avoid privacy violations and service disruption, and give us reasonable time to respond before public disclosure, Nova Rewards will treat your research as authorized.
Please do not:
- Access, modify, or delete data that does not belong to you
- Exfiltrate secrets, tokens, or private keys
- Disrupt production availability or degrade service for real users
- Use automated testing that creates excessive load
This repository now publishes the disclosure policy and reward framework. External listing on Immunefi or HackerOne should be completed as a follow-up operational step by the maintainers once a public intake channel is finalized.