openANX Bug Bounty Program
Major bugs will be rewarded up to 5000 OAX tokens. Much higher rewards are possible (up to 10000 OAX tokens) in case of very severe vulnerabilities. The bounty program will be capped at 50000 OAX tokens.
Most of the rules on https://bounty.ethereum.org apply. For example: First come, first serve. Issues that have already been submitted by another user or are already known (such as these) to the team are not eligible for bounty rewards.
Scope of Bug Bounty Program
Examples of what’s in scope
- Being able to obtain more tokens (OAX) than expected
- Being able to obtain OAX from someone without their permission
- Bugs that allow the owner to lose control of the smart contract during the token sale period
- Bugs causing a transaction to be sent that was different from what a user confirmed: for example, a user transfers 10 OAX but exactly 10 wasn’t transferred.
The bug bounty ends on the 21st June, 2017.
Responsible Disclosure Policy
If you comply with the policies below when reporting a security issue to us, we will not initiate a lawsuit or law enforcement investigation against you in response to your report.
We ask that:
- You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
- You do not violate any other applicable laws or regulations.
Don’t forget to include your ETH address so you can be rewarded (If more than one address is specified, only one will be used at the discretion of the bounty program administrators).
Anonymous submissions welcome.
For questions use the slack here
Credits: This bounty program borrowed heavily from the gnosis bounty program design.