Bug Bounties

Bug Bounties

Bug bounties are granted at the full discretion of Origin Protocol. The rewards range in size from $100 OUSD for minor issues to $1,000,000 OUSD for major critical vulnerabilities. Currently, the bounty program only applies to OUSD and OETH and not other products from Origin. Our bug bounty program is currently administered by Immunefi.

To be eligible for a bug bounty, you must follow the rules of Responsible Disclosure outlined below.

Responsible Disclosure

Security is our top priority and we've made every effort to ensure our code is secure and works as intended. However, vulnerabilities large and small can have gone undetected.

If you discover a vulnerability, please inform us immediately so we can take steps to address it as quickly as possible.

  • Report your findings to security@originprotocol.com or contact us on Immunefi. We have provided an example of a well-written disclosure.

  • Do not take advantage of the vulnerability or problem you have discovered.

  • Do not reveal the problem to others until it has been resolved.

  • Do not use attacks on physical security, social engineering, distributed denial of service, spam, or applications of third parties.

  • Do provide sufficient information to reproduce the problem so we can resolve it quickly. We may ask you for additional details in the case of complex vulnerabilities.

In return, we promise:

  • We will respond to your report within three business days with our evaluation of the report and the expected resolution date.

  • If you have followed the instructions above, we will not take any legal action against you regarding the report.

  • We will handle your report with strict confidentiality and will not pass your personal details on to third parties without your permission.

  • If you so wish, we will keep you informed of the progress toward resolving the problem.

  • In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).

  • As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak, the quality of the report, and any additional assistance you provide.

Last updated