Bug Bounty

OrangeBit maintains a continuous Bug Bounty Program to proactively identify and remediate vulnerabilities across the protocol stack. The program prioritizes protocol and smart‑contract security, while also covering front‑end, API, infrastructure, and matching‑engine issues. Rewarding responsible disclosure protects users, strengthens the protocol, and fosters a trustworthy ecosystem.

1. Scope

The program covers, but is not limited to:

• Smart contracts (on‑chain logic, access control, reentrancy, economic exploits) — top priority.

• Protocol vulnerabilities (order matching, settlement, margin/funding logic).

• Backend & APIs (authentication, authorization, sensitive data exposure).

• Frontend (phishing vectors, XSS, client‑side logic abuse).

• Infrastructure (nodes, key‑management misconfigurations, CI/CD leaks).

Excluded items (non‑eligible): low‑impact UI typos, publicly known issues already documented, intentionally malicious exploit attempts without prior disclosure, reports lacking reproducible steps.

2. Severity Levels & Reward Ranges (Example)

Reward bands are illustrative. Final reward is determined after triage, based on exploitability, impact, reproducibility, and responsible disclosure timing.

3. Disclosure Process & Workflow

1. Safe & Private Reporting

   • Submit vulnerability reports to the official private channel: [email protected] (PGP key published on docs) or through our HackerOne/Bugcrowd program (if enabled). Do not publish exploit details publicly before remediation.

2. Acknowledgement & Triage

   • We acknowledge receipt within 24 hours.

   • Triage completed within 72 hours for critical issues; medium/low within 7 business days.

3. Fix & Coordination

   • For critical findings, OrangeBit coordinates an emergency response (hotfix, pause, admin interventions) with the reporter and optionally reputable third‑party auditors.

4. Validation & Reward

   • Once patched and validated, the bounty is issued. Reward may be split for collaborative disclosures. Public recognition is optional and only after consent.

5. Disclosure Window

   • Public disclosure is coordinated and typically allowed only after a remediation window (e.g., 30 days for non‑critical; immediate for critical if user safety requires earlier notice).

4. Safe‑Harbour & Legal Protection

OrangeBit offers a good‑faith safe‑harbour for security researchers who:

• Follow the program scope and disclosure guidelines;

• Avoid data exfiltration, loss of funds, or other malicious actions;

• Provide clear, reproducible steps and cooperate in remediation.

This policy does not constitute legal advice. Researchers must comply with their local laws. OrangeBit reserves the right to refuse bounty payment for actions outside the program scope or involving illegal activities.

5. Payouts & Rewards

• Payment Options: USD wire, stablecoin, or $ORANGE tokens (with an agreed USD equivalent). Alternative forms (NFTs, swag, recognition) possible by agreement.

• Tax & Compliance: Bounty recipients are responsible for tax reporting. OrangeBit will provide settlement receipts and transaction records upon request.

• Public Recognition: Winners may be listed on a public Hall of Fame unless anonymity is requested.

6. Operational Practices

• Priority: Protocol & smart contract vulnerabilities receive highest priority; hotfix and emergency coordination protocols are in place.

• Third‑Party Audit Escalation: For critical issues, external auditors may be engaged to validate fixes.

• Coordination with Partners: If a vulnerability affects integrated partners, OrangeBit will coordinate cross‑platform disclosure and mitigation.

• Continuous Program: The bounty program is ongoing and evolves with the protocol; reward bands, scope, and channels will be updated in the security policy.

7. How to Report (Checklist)

When submitting a report, include:

• A clear title and severity estimate;

• Precise reproduction steps and minimal PoC (proof-of-concept) code or transaction hashes;

• Affected contracts/services and environment (mainnet/testnet);

• Suggested remediation or mitigation;

• Contact details and PGP key (optional).

8. Final Notes

OrangeBit values the security research community and will treat reports with confidentiality, fairness, and promptness. Our bounty program is a cornerstone of a responsible, secure launch and ongoing platform stewardship.