Announcing OMG Network’s Bug Bounty Program

In Blog, Technology by OMG Network

Today, OMG Network is launching a bug bounty program to reward researchers up to $25,000 for finding security vulnerabilities on the OMG Network!
Image

The OMG Network allows developers to build scalable, decentralized payments apps on a high throughput value transfer layer. As a financial network, security is a core tenet in all our engineering efforts, however, we realize no technology is perfect!

That’s why we’ve launched a bug bounty program allowing participants to identify and submit vulnerabilities that could negatively impact OMG Network users. Successful submissions have a chance of being eligible for bounty rewards of up to $25,000.

What’s In Scope?

We have set up a dedicated environment for the bug bounty program that should give participants access to all services without the need to spend any time on installation, setup and configuration. There is also no need to worry about accidentally breaking something as this environment is completely isolated from our production services. The bug bounty environment also has a shorter finalization time than the production environment to help participants better test the exit flows.

With the launch of the bug bounty program we put the following components in scope:

Stay tuned for updates on the scope as we are planning to include other components soon.

Issues We’re Interested In


We appreciate hackers and security researchers taking time to identify vulnerabilities in our systems. We’re determined to review and fairly reward submissions based on the risk that the vulnerability poses to the OMG Network.

Here are some ideas for issues that we regard as high-value submissions: 

  • Compromise funds from users who have deposited or received funds on the OMG network
  • Prevent users from depositing, withdrawing or transacting funds on the OMG network
  • Double spend a UTXO on the Plasma network and exit it to the root chain (Ethereum) without raising a byzantine event
  • Include invalid transactions in a block and the watcher does not raise byzantine events
  • Brick the exit priority queue of a token so that no funds can be exited anymore. Token must be ERC20 conform.
  • Gain access to a system and run OS commands aka getting shell

The list is not meant to limit or discourage other types of submissions but should give you clarity on the problems we deem important.

Bounty Rewards


Rewards are based on the severity of the issue and are determined in USD. Participants may choose to receive their bounty reward in the equivalent of ETH or OMG tokens. We generally use CVSSv3 scoring system to understand the risk of an issue. This might not always make sense to determine the bounty reward though especially for the smart contracts.

The following table gives an overview of the reward structure:

Component
Low
Medium
High
Critical
Primary*
$0
$0
$0
$0
Secondary**
$0
$0
$0
$0
Component Category
Low
Med
High
Critical
Primary*
$0
$0
$0
$0
Secondary**
$0
$0
$0
$0

* The plasma-contracts, the child chain and the watcher
** Any other components in scope that are not primary components

Ready, Set, Go!

Head over to the program page to get started! Thank you for helping keep the OMG network safe and let us know if you have questions at bounty@omg.network.

Happy hacking!
OMG Network

OMG Network Bug Bounty Program