# Bug Bounties

Origin Protocol's bug bounty program has been active since November 2021 and is administered through Immunefi. The program offers a maximum reward of $1,000,000 for critical vulnerabilities, with payouts scaling based on severity, report quality, and the assistance provided. To date, Origin Protocol has paid out over $80,000 to qualified reporters. Origin Protocol maintains one of the shortest average response times on Immunefi, with an average first response of 8 hours. Full scope, eligibility criteria, and reward tiers are available at the Immunefi program page.

View the full bounty scope: 

{% embed url="<https://immunefi.com/bug-bounty/originprotocol/>" %}

{% hint style="warning" %}
To be eligible for a bug bounty, you must follow the rules of Responsible Disclosure outlined below.
{% endhint %}

### **Responsible Disclosure**

Security is our top priority and we've made every effort to ensure our code is secure and works as intended. However, vulnerabilities large and small can have gone undetected.

If you discover a vulnerability, please inform us immediately so we can take steps to address it as quickly as possible.

* Report your findings to <security@originprotocol.com> or contact us on [Immunefi](https://immunefi.com/bug-bounty/originprotocol/). We have provided an example of a [well-written disclosure](https://gist.github.com/DanielVF/66f459da88804d1fd917c47576c68523).
* Do not take advantage of the vulnerability or problem you have discovered.
* Do not reveal the problem to others until it has been resolved.
* Do not use attacks on physical security, social engineering, distributed denial of service, spam, or applications of third parties.
* Do provide sufficient information to reproduce the problem so we can resolve it quickly. We may ask you for additional details in the case of complex vulnerabilities.

In return, we promise:

* We will respond to your report within three business days with our evaluation of the report and the expected resolution date.
* If you have followed the instructions above, we will not take any legal action against you regarding the report.
* We will handle your report with strict confidentiality and will not pass your personal details on to third parties without your permission.
* If you so wish, we will keep you informed of the progress toward resolving the problem.
* In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
* As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak, the quality of the report, and any additional assistance you provide.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.originprotocol.com/security-and-risk/bug-bounties.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.