The Opium bug bounty program supports a community-led effort to improve the on-chain security of the OPIUM Protocol. Contributors who make valuable security discoveries – such as detecting a previously unknown smart contract bug – will be rewarded a bounty according to the rules outlined below.
The rules are adopted from the Ethereum Foundation’s bug bounty program rules and applicable for the Opium Protocol bug bounty program:
Issues that have already been submitted by another user or are already known to the Opium team are not eligible for bounty rewards
Public disclosure of a vulnerability makes the reported bug ineligible for a bounty
The Opium core development team, core units, contributors, and all other people paid by Opium Ecosystem, directly or indirectly (including the external auditors), are not eligible for rewards
Submissions should be within the Bounty scope, outlined below.
Attack vectors that affect the off-chain components of an architecture are outside of the scope of the bounty programme but their submission is still welcome. Examples of such threats are:
Vulnerabilities in the supported third-party wallets
Furthermore, smart contract bugs that do not lead to a loss of funds might be classified as not bearing any threats and thus not be eligible for the bounty.
The scope of the present bounty is focused solely on smart contracts developed by the Opium core contributors for the Opium Protocol. The list of codebases eligible for the bounty program includes but is not limited to: