novatSa4s7wJBHPoCWzyK45Z2N6ky3uYiBEQtw3FjJb, not to web or other non-iOS frontends.
Scope
In scope The following areas are in scope only when they directly impact Nova multisig security:| Category | Description / Examples |
|---|---|
| iOS multisig approval logic | Flaws in how the iOS app enforces or presents multisig approvals that could cause an approval to be recorded or interpreted incorrectly. |
| Multisig transaction creation, signing, execution | Issues in how transactions are built, signed, or executed for multisig that could lead to incorrect or unintended on-chain actions. |
| Threshold enforcement | Any issue that allows bypassing, weakening, or miscalculating the required multisig signature threshold. |
| Signer authorization and validation | Bugs that cause an unauthorized signer to be treated as authorized, or that incorrectly validate signer identity or permissions. |
| Replay or approval reuse attacks | Reuse of prior approvals, signatures, or intents to execute new or modified transactions without fresh, explicit multisig approval. |
| State desynchronization between signers | Inconsistencies between different signers’ views of multisig state that can be exploited to cause incorrect assumptions about approvals or transaction status. |
| Client → on-chain multisig message integrity | Any manipulation of data between the iOS client and the on-chain multisig program that can alter transaction contents, recipients, or amounts without detection. |
| On-chain multisig program behavior (Nova usage) | Vulnerabilities in the Nova-managed on-chain multisig program at novatSa4s7wJBHPoCWzyK45Z2N6ky3uYiBEQtw3FjJb that can lead to unauthorized transactions or incorrect execution semantics. |
| Category | Description / Examples |
|---|---|
| UI / UX issues | Visual glitches, layout issues, copy changes, non-security usability problems. |
| Feature requests | Suggestions for new features, design changes, or product improvements. |
| Performance issues | Latency, non-security-related performance problems, or efficiency concerns without security impact. |
| Crash-only bugs | Crashes, errors, or panics that do not result in a security impact on multisig approvals or transactions. |
| Social engineering | Attacks against Nova staff, users, or partners via phishing, fraud, or impersonation. |
| Phishing or fake apps | Malicious third-party apps, wallets, or websites impersonating Nova. |
| Other clients and frontends (non-iOS) | Web dashboards, browser extensions, desktop clients, or third-party apps, even if they interact with the same multisig program address. |
| Third-party RPCs, SDKs, or Solana issues | Vulnerabilities in underlying Solana network, validators, RPC providers, third-party SDKs, or other external services. |
| iOS system vulnerabilities | Vulnerabilities in iOS, Apple services, or hardware outside of Nova’s apps and infrastructure. |
| Testnet-only behavior | Issues that occur only on testnet, devnet, or non-production environments. |
| Physical device compromise | Attacks requiring theft, loss, or direct physical control of a user’s device. |
| Known or already-public vulnerabilities | Issues that have already been publicly disclosed or are already known and accepted by Nova. |
| Anything not affecting multisig security | Any issue that does not measurably affect Nova multisig approval, threshold enforcement, or transaction correctness. |
Before You Submit
- Only issues that directly impact the Nova iOS multisig flow or the Nova-managed on-chain multisig program at
novatSa4s7wJBHPoCWzyK45Z2N6ky3uYiBEQtw3FjJb(as described in In scope) are accepted.- UI bugs, non-security crashes, and feature requests will be ignored.
- Reports must include clear reproduction steps and a proof of concept (PoC).
- Do not publicly disclose any details of the vulnerability before Nova has confirmed and resolved it.
Submission Process
All vulnerability reports must be submitted through the official form. We do not accept reports via email, social media, GitHub issues, or any other channel. Bug Submission Formhttps://tally.so/r/dWEX0A When submitting a report, include at minimum:
- Clear, step-by-step reproduction instructions.
- A proof of concept (PoC) demonstrating the impact.
- App version and build, if available.
- Device and OS version (for example: iPhone model and iOS version).
- Any relevant wallet addresses, transaction IDs, or multisig identifiers.
Rewards
Nova may offer monetary rewards for valid reports that:- Demonstrate a clear, exploitable impact on Nova multisig security.
- Fall within the In Scope categories defined above.
- Are reported privately and responsibly through the official form.
- Severity-based and determined at Nova’s sole discretion.
- Paid only after verification and remediation of the issue.
- Not paid for duplicate reports of an issue that has already been reported by another researcher.
- Discussed and arranged individually with the researcher after validation (no fixed, pre-published payout amounts).
Disclosure Rules
By participating in this program, you agree to:- No public disclosure of the vulnerability or related details until Nova confirms that a fix has been deployed or explicitly authorizes disclosure.
- No exploitation beyond what is necessary for proof of concept:
- Do not attempt to move, withdraw, or otherwise access funds that do not belong to you.
- Do not intentionally disrupt service availability or degrade the experience for other users.
- No access to third-party data or accounts beyond what is necessary to demonstrate the vulnerability.
- No spam or automated submissions, including bulk scanning without a clear, well-documented finding.
Legal Safe Harbor
Nova is committed to supporting good-faith security research on our multisig systems. If you:- Make a good-faith effort to comply with this policy,
- Limit testing to the scope defined above,
- Avoid privacy violations, destruction of data, or service degradation, and
- Report findings promptly and privately through the official form,
This program is intentionally scoped. Reports unrelated to multisig security will be closed without response.