Bug Bounty Program
Oak Network runs a bug bounty program to encourage security researchers to find and report vulnerabilities in our protocol.
Program Scope
In Scope
- Smart contracts on Celo mainnet
- Protocol logic and implementation
- Integration vulnerabilities
- Frontend security issues
Out of Scope
- Social engineering attacks
- Physical attacks
- Issues in third-party dependencies
- Issues already known to the team
Vulnerability Severity
Critical (Up to $10,000)
- Direct theft of funds
- Protocol manipulation
- Complete system compromise
High (Up to $5,000)
- Significant fund loss
- Protocol functionality bypass
- Privilege escalation
Medium (Up to $2,000)
- Limited fund loss
- Information disclosure
- Denial of service
Low (N/A, but appreciated)
- Minor issues
- UI/UX problems
- Documentation issues
Reporting Process
1. Discovery
- Find a potential vulnerability
- Verify the issue
- Document the impact
2. Report
- Email: security@oaknetwork.org
- Include detailed description
- Provide proof of concept
- Suggest remediation
3. Response
- Acknowledgment within 24 hours
- Initial assessment within 72 hours
- Resolution timeline provided
4. Resolution
- Issue fixed and verified
- Reward processed
- Recognition provided
Responsible Disclosure
Guidelines
- Do not publicly disclose until fixed
- Do not exploit vulnerabilities
- Do not access others' data
- Follow responsible disclosure timeline
Timeline
- 30 days for initial response
- 90 days for resolution
- Public disclosure after fix
Rewards
Payment
- Rewards paid in USDC
- Minimum reward: $100
- Maximum reward: $10,000
- Payment within 30 days of resolution
Recognition
- Hall of fame listing
- Social media recognition
- Conference speaking opportunities
- Community appreciation
Next Steps
- Security Overview - Complete security documentation
- Security Best Practices - Security guidelines
- Security Checklist - Pre-deployment checklist