Our Bug Bounty Program allows us to recognize and reward members of the community for helping us find and address significant bugs, in accordance with the terms of the Bug Bounty Program set out below.
Although our team of experts has made every effort to squash all the bugs in our systems, there's always the chance that we might have missed one posing a significant vulnerability. If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible. For significant bugs we offer reward and recognition.
If you comply with the policies below when reporting a security issue, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. We ask that:
You must be at least 18 years old or have reached the age of majority in your jurisdiction of primary residence and citizenship to be eligible to receive any monetary compensation as a Researcher.
A citizen or resident of a country in which use or participation is prohibited by law, decree, regulation, treaty or administrative act;
A citizen or resident of, or located in, a country or region that is subject to U.S. or other sovereign country sanctions or embargoes;
An individual or an individual employed by or associated with an entity identified on the U.S. Department of Commerce’s Denied Persons or Entity List, the U.S. Department of Treasury’s Specially Designated Nationals or Blocked Persons Lists, or the Department of State’s Debarred Parties List or otherwise ineligible to receive items subject to U.S. export control laws and regulations, or other economic sanction rules of any sovereign nation.
Risk levels were divided incrementally as: Critical, Severe, Moderate, Low.
Bounty rewards were linked to these risk levels as follows:
Any property of OPEN not listed in the targets section is out of scope.
100,000 - 250,000 OPEN
25,000 - 100,000 OPEN
1000 - 25,000 OPEN
Potential systematic flaws, including access to server, access to data, access to website administration, transaction manipulations etc.
Potential risks of leaks or manipulation of user accounts: private keys, user’s sensitive information and data etc.
Potential leaks of system’s sensitive information, source code etc.
Risks of having negative impact on transaction speed of main net or loss of crypto assets.
Risks of being unable to implement transactions.
Leaks of insensitive information of users that may not cause direct loss of assets.
Problems of user experience of OPEN main net.
Before making a report, please read the program rules above.
Include the information from the template into Bug Bounty Report.
OPEN Chain logic subversion.
Wallet vulnerabilities which undermine security of user or validator funds.
Vulnerabilities surrounding wallet downloads, key generation, wallet recovery, and transaction signing.
Sybil Attacks on OPEN Chain.
DDoS Attacks on OPEN website.
Security threats surrounding OPEN Chain Explorer.
Scaffold deployment manipulation.
Template of Bug Bounty Report:
Vulnerabilities without proper evidence
Property not belonging to OPEN
Title of Vulnerability
Vulnerability impact (In relation to OWASP)