NiceHash was founded in 2014 with a clear vision: to make mining simple, friendly, and accessible to everyone.
We provide an open marketplace where you can sell hashpower and earn Bitcoin. NiceHash is also one of the safest crypto companies in the world and is an industry leader in security innovation for mining software.
This is NiceHash crypto exchange.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
https://test.nicex.com/NiceX Crypto Exchange - Public |
Web | Critical | Bounty |
https://test.nicex.com/my/NiceX Crypto Exchange - Private |
Web | Critical | Bounty |
https://api-test.nicex.com/NiceX Crypto Exchange |
API | Critical | Bounty |
Ratings/Rewards:
- For this program, NiceHash will reward researchers in Bitcoin. For that you will need to provide NiceHash your Bitcoin wallet address so they can arrange the transaction.
In-Scope
- Authentication, authorization, application logic.
- Risk-oriented: anything that can be proven to have an impact.
- All infrastructure is cloud based, infrastructure itself is out of the scope, misconfigured cloud services are in scope.
Out-of-Scope
- Any software/service not operated by Nicex.
- Any type of DDOS attack.
- TLS cyphers.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies.
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Standard/recommendation compliance - only repeatable scenarios with an actual and proven security risk will be rewarded, standard or recommendation non-compliance or any other theoretical risk will not be accepted.
- All infrastructure is cloud based, infrastructure itself is out of the scope, misconfigured cloud services are in scope.
API Documentation:
- All NiceHash clients (web, mobile, bots...) use same API calls documented on link: https://test.nicehash.com/docs/ where you can also test public and private API calls.
- You can generate your own API keys inside of platform if you would like to use some tools for testing automatisation, you can find examples here https://github.com/nicehash/rest-clients-demo.
How to get testnet crypto coins:
NiceHash test platform supports testnet blockchain coins - you can get testnet crypto coins for free and fully test all functionalities of the platform.
To get testnet crypto coin:
- Do internet search on
BTC faucet testnet
(replace BTC with coin you would like to obtain). - In faucet web page, enter your deposit address from NiceHash test platform for that coin and follow the instructions of faucet page.
- You should receive testnet coins as deposit to your account on the test NiceHash platform after some time (this time may from few hours to a few days, as testnet blockchains are not always fully operational).
- To be sure that you will get enough testnet coins quickly, use several different faucet to obtain different coins.
Testing is only authorized on the targets listed as in scope. Any domain/property of NiceHash not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to NiceHash, you can report it to [email protected]. However, be aware that it is ineligible for rewards or points-based compensation.
Access:
- Targets are accessible from the public internet.
- You should execute your tests on the staging environment (where we run the current or the next release of production versions) to minimize impact of your actions when possible.
Credentials:
- An account is required for accessing private web pages and private API calls. You can register on the platform using a valid email here https://test.nicehash.com/my/register.
- Mobile clients available from official applications stores are connecting to the production platform.
- NiceHash platform was designed to require users to select strong passwords without length limitation (no DDos), email OTP token is used until user activates device 2FA.
- Users are encouraged to activate 2FA on their device (like Google authenticator on user phone and/or Yubikey), depending on an evaluated risk some actions might require use of an email one time used time limited token, 2FA OTP token or both.
- In the staging environment only, researchers can also use 123456 instead of 2FA/email authentication token - please do not report this as bug. Feel free to verify that this is not possible in NiceHash production environment.
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs
What is responsible investigation and disclosure?
- Target only items and URLs specified in the scope bellow.
- Don’t violate the privacy of other users or target other users, destroy data, or disrupt services.
- Target only your own accounts in the process of discovering the bug.
- Don’t use DDOS attacks, spam, or social engineering attacks. Report the bug only to NiceHash and not to anyone else.
To minimize the risk of executing security tests, to test financial transactions without the risk of losing your assets or paying fees, you can use the NiceHash public test environment at https://test.nicehash.com, where you can transfer or trade test cryptocurrencies.