Skip to main content

Bug Bounty

A public bug bounty program rewards security researchers for responsibly disclosing vulnerabilities that could affect OXN or its users.

Status

The bug bounty program has not yet launched. Scope, reward tiers, and submission process will be published prior to mainnet. In the interim, security issues can still be reported responsibly — see Reporting Security Issues.

Anticipated scope

When launched, the program is expected to cover:

  • Protocol vulnerabilities — bugs in the OXN runtime that allow confidentiality bypass, unauthorized state changes, consensus failures, or economic exploits.
  • Client SDK vulnerabilities — bugs in the SDKs that could lead to incorrect encryption, key exposure, or client-side attacks.
  • Public infrastructure vulnerabilities — bugs in the OXN-operated RPC endpoint, block explorer, faucet, and web wallet.

Application-layer bugs (issues in dApps built on OXN) are typically covered by those dApps' own bounty programs, not OXN's.

Anticipated reward tiers

Rewards will scale with severity. Exact numbers TBD; industry norms are:

  • Critical (fund loss, consensus break, mass confidentiality breach) — substantial rewards.
  • High (targeted confidentiality breach, DoS of the network) — moderate rewards.
  • Medium (unexpected reverts, RPC method bugs) — smaller rewards.
  • Low (documentation errors, UX issues) — small rewards or acknowledgment.

Out of scope (typical)

  • Denial of service via straightforward volume attacks.
  • Issues that require compromised SGX firmware to exploit.
  • Issues in third-party dApps.
  • Social engineering.

While the program is not yet live

Please still report responsibly through the Reporting Security Issues channel. Researchers whose reports are validated will be credited, and eligible reports will be considered for retroactive rewards once the program launches.

Next steps