Obyte

Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below.

Repeatable Attack Limitations

Given that the reward for High is flat, there is no distinction between a one-time attack and an attack that is repeated and the reward stays the same.

Restrictions on Security Researcher Eligibility

Security researchers who fall under any of the following are ineligible for a reward:

• Compensated team members of the Obyte Foundation
• Employees and team members of third-party suppliers to an Obyte Foundation affiliate that operate in a technical capacity and have assets covered in this bug bounty program

Reward Calculation for Critical Level Reports

For Blockchain/DLT bug reports, in order to qualify for the reward of USD 50 000, the bug reported must be able to cause unrecoverable total network shutdown of the entire Obyte network or allow the unpermitted execution of transactions from accounts of other users without their private keys. All other critical bug reports are capped at a flat rate of USD 2 500.

Other Restrictions

For all impacts directly involving funds being lost, the minimum impact is USD 1 000. Anything below is considered out-of-scope.

The web/app impacts of “Stealing User Cookies” and “Bypassing Authentication” are only accepted if they result in a loss of at least USD 1 000. The web/app impact of “Ability to execute system commands” is only accepted if the actions are done as root.

Poc Requirements All web and app bug reports must come with a PoC. All bug reports submitted without PoC will be rejected with instructions to provide PoC.

Payouts are handled by the Obyte Foundation directly and are denominated in USD. The payout can be completed in GBYTE, BTC, or USDT.