Skip to main content

Reporting Security Issues

If you've found a security issue in OXN, please report it privately through the channels below. Public disclosure before a fix is available puts users at risk.

What to report

Report anything that could be used to:

  • Break confidentiality guarantees (read state that should be encrypted).
  • Bypass access control at the protocol or SDK level.
  • Cause loss of funds or unauthorized state changes.
  • Take the network offline or halt consensus.
  • Compromise the enclave or bypass SGX protections.
  • Steal keys from the runtime, SDK, or public infrastructure.

Also welcome:

  • RPC / public infrastructure issues — misconfigurations, DoS vectors, information leaks.
  • SDK bugs that lead to insecure client behavior.
  • Documentation errors that could lead readers to insecure implementations.

Contact

Email: security@bout.network (placeholder — replace with confirmed address)

Include:

  • A clear description of the issue.
  • Steps to reproduce.
  • Suspected severity and impact.
  • Your contact information (if you'd like to be credited).
  • Whether you plan to publish research on this.

PGP encryption (optional but appreciated)

For sensitive reports, encrypt with the OXN security team PGP key. Key ID and fingerprint TBD — check back once the bug bounty program launches.

What happens after you report

  1. Acknowledgment within 3 business days.
  2. Initial triage within 7 business days — we confirm whether the issue reproduces, its severity, and rough remediation approach.
  3. Fix development — depends on complexity; kept in touch with you.
  4. Coordinated disclosure — we agree on a public disclosure date. Standard practice is 90 days from report, extendable if the fix takes longer.
  5. Public credit — we acknowledge you in the fix announcement (unless you prefer to stay anonymous).

What not to do

  • Do not publicly disclose the issue before it is fixed.
  • Do not test on mainnet in ways that could affect other users. Test on testnet or a local devnet.
  • Do not exfiltrate data beyond what's necessary to demonstrate the issue.
  • Do not extort — we work in good faith with researchers acting in good faith.

Rewards

While the Bug Bounty program is not yet live, reports that meet its anticipated criteria will be considered for retroactive rewards.

Next steps