Bug Bounty Program

Our Bug Bounty Program allows us to recognize and reward members of the community for helping us find and address significant bugs, in accordance with the terms of the Bug Bounty Program set out below.

Although our team of experts has made every effort to squash all the bugs in our systems, there's always the chance that we might have missed one posing a significant vulnerability. If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible. For significant bugs we offer reward and recognition.

Policy

If you comply with the policies below when reporting a security issue, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. We ask that:

You give us reasonable time to investigate and mitigate an issue that you report before making any information about the report public or sharing such information with others.
You do not exploit a security issue that you discover for any reason.
You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
You do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorised access to data.
You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorised access to or destruction of data, and interruption or degradation of our services.
For the purposes of this policy, you are not authorised to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.

Terms and Conditions

OPEN Chain project is blockchain-related source code located in GitHub repository https://github.com/OpenFuturePlatform/open-chain.
Check the list of bugs that have been reported. The bug must be original and previously unreported.
The bug must be a part of OPEN Chain code, not the third party code.
Submissions without clear reproduction steps may be ineligible for a reward.
You must not exploit the security vulnerability for your own gain.
You must not be an employee of OPEN Chain team.
All reward amounts are determined by our severity guidelines.
Medium, high, and critical severity issues will be written on the Bug Bounty site. We don’t post write-ups for low severity vulnerabilities.

You must be at least 18 years old or have reached the age of majority in your jurisdiction of primary residence and citizenship to be eligible to receive any monetary compensation as a Researcher.

By utilizing our Website you agree that you are not:

A citizen or resident of a country in which use or participation is prohibited by law, decree, regulation, treaty or administrative act;

A citizen or resident of, or located in, a country or region that is subject to U.S. or other sovereign country sanctions or embargoes;

An individual or an individual employed by or associated with an entity identified on the U.S. Department of Commerce’s Denied Persons or Entity List, the U.S. Department of Treasury’s Specially Designated Nationals or Blocked Persons Lists, or the Department of State’s Debarred Parties List or otherwise ineligible to receive items subject to U.S. export control laws and regulations, or other economic sanction rules of any sovereign nation.

Risk Levels

Risk levels were divided incrementally as: Critical, Severe, Moderate, Low.
Bounty rewards were linked to these risk levels as follows:

Targets:

OPEN Chain

OPEN API

GitHub Repository

Non-targets:

Any property of OPEN not listed in the targets section is out of scope.

Critical

Severe

Moderate

Low

Level 1

250,000-500,000 OPEN

Level 2

100,000 - 250,000 OPEN

Level 3

25,000 - 100,000 OPEN

Level 4

1000 - 25,000 OPEN

Potential systematic flaws, including access to server, access to data, access to website administration, transaction manipulations etc.

Potential risks of leaks or manipulation of user accounts: private keys, user’s sensitive information and data etc.

Potential leaks of system’s sensitive information, source code etc.

Risks of having negative impact on transaction speed of main net or loss of crypto assets.

Risks of being unable to implement transactions.

Leaks of insensitive information of users that may not cause direct loss of assets.

Problems of user experience of OPEN main net.

Report

Before making a report, please read the program rules above.
Include the information from the template into Bug Bounty Report.

Vulnerability Classifications

OPEN Chain logic subversion.

Wallet vulnerabilities which undermine security of user or validator funds.

Vulnerabilities surrounding wallet downloads, key generation, wallet recovery, and transaction signing.

Sybil Attacks on OPEN Chain.

DDoS Attacks on OPEN website.

Security threats surrounding OPEN Chain Explorer.

Scaffold deployment manipulation.

Template of Bug Bounty Report:

Ineligible Issues

Vulnerabilities without proper evidence

Property not belonging to OPEN

Vulnerability Submission

Format

Title of Vulnerability

Affected Asset

Description

Vulnerability impact (In relation to OWASP)

PoC

Solution

Once the issue has been created OPEN team will review the information and assign a severity level.

You will be asked to send proof of identity and get rewarded from the bug bounty wallet created for this program.

Email to bugbounty@openfuture.io (Encrypt via PGP)