The NORX Bug Bounty Program

February 18, 2016

Are you a cryptanalysis-ninja with differentials, boomerangs, and bicliques being your weapons of choice? Do you know what IND-CPA, IND-CCA{1,2}, and INT-{P,C}TXT actually mean and that querying random oracles has nothing to do with randomly visiting astrologers? Or do your hacker-friends celebrate you as the personified american fuzzy lop?

Well, if you answered yes to any of these questions and are up for a challenge, then head over to and find some bugs in one (or all) of the following categories:

  • Bugs in the NORX algorithm (a.k.a. cryptanalysis)
  • Bugs in the NORX security proofs (evidence of a wrong proof and/or a wrong result)
  • Bugs in the NORX source code (software bugs or inconsistencies with the specs)

If you answered no but are nevertheless up for a challenge, then head over to the NORX website too and give it a try, as in each category you can win a bounty of $250! In order to get a reward, your submission has to be the winning entry in one of the above categories.

The deadline for submissions is May 31 July 31, 2016 at 23:59 (UTC+01:00). Send your findings to and we will tell you if your result is eligible. The winners of the bug bounty program will be announced in the first week of June August, 2016.

Happy hunting!

The NORX team

Acknowledgements: The NORX bug bounty program would not have been possible without our generous sponsors. We thank Bryan Ford, head of EPFL’s Decentralized and Distributed Systems Lab, and Kudelski Security, for providing financial support.

Update (June 1, 2016): Extended the submission period.