NiceHash Mining platform: Program Info

API Documentation:

• All NiceHash clients (web, mobile, bots...) use same API calls documented on link: https://test.nicehash.com/docs/ where you can also test public and private API calls.
• You can generate your own API keys inside of platform if you would like to use some tools for testing automatisation, you can find examples here https://github.com/nicehash/rest-clients-demo.

How to get testnet crypto coins:

NiceHash test platform supports testnet blockchain coins - you can get testnet crypto coins for free and fully test all functionalities of the platform.
To get testnet crypto coin:

• Do internet search on BTC faucet testnet (replace BTC with coin you would like to obtain).
• In faucet web page, enter your deposit address from NiceHash test platform for that coin and follow the instructions of faucet page.
• You should receive testnet coins as deposit to your account on the test NiceHash platform after some time (this time may from few hours to a few days, as testnet blockchains are not always fully operational).
• To be sure that you will get enough testnet coins quickly, use several different faucet to obtain different coins.

Testing is only authorized on the targets listed as in scope. Any domain/property of NiceHash not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to NiceHash, you can report it to [email protected]. However, be aware that it is ineligible for rewards or points-based compensation.

Access:

• Targets are accessible from the public internet.
• You should execute your tests on the staging environment (where we run the current or the next release of production versions) to minimize impact of your actions when possible.

Credentials:

• An account is required for accessing private web pages and private API calls. You can register on the platform using a valid email here https://test.nicehash.com/my/register.
• Mobile clients available from official applications stores are connecting to the production platform.
• NiceHash platform was designed to require users to select strong passwords without length limitation (no DDos), email OTP token is used until user activates device 2FA.
• Users are encouraged to activate 2FA on their device (like Google authenticator on user phone and/or Yubikey), depending on an evaluated risk some actions might require use of an email one time used time limited token, 2FA OTP token or both.
• In the staging environment only, researchers can also use 123456 instead of 2FA/email authentication token - please do not report this as bug. Feel free to verify that this is not possible in NiceHash production environment.

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

What is responsible investigation and disclosure?

• Target only items and URLs specified in the scope bellow.
• Don’t violate the privacy of other users or target other users, destroy data, or disrupt services.
• Target only your own accounts in the process of discovering the bug.
• Don’t use DDOS attacks, spam, or social engineering attacks. Report the bug only to NiceHash and not to anyone else.

To minimize the risk of executing security tests, to test financial transactions without the risk of losing your assets or paying fees, you can use the NiceHash public test environment at https://test.nicehash.com, where you can transfer or trade test cryptocurrencies.