We want to ensure our partners can rely on OST blockchain technology to launch their own Branded Token and manage token economies. Therefore, the security of OST technology and all OST-powered crypto assets is a top priority. We are launching our first Mainnet bounty program with more than 400,000 OST available for eligible vulnerability reports.

This bounty challenges any participant to find a security vulnerability that allows him/her to transfer OST that is staked on Ethereum Mainnet to any unintended address. Additional bounties are available for eligible vulnerability submissions with a detailed step-by-step report on how to reproduce the challenge. We will evaluate each reported security issue and will award tokens based on the severity of each verified vulnerability.

Last week, we launched the first version of OST KIT on Mainnet — our developer toolkit for staking OST and minting Branded Tokens. 12 OST partners staked real OST and minted Branded Tokens on Mainnet: Unsplash, Gushcloud, Connectscale, Tribecoin, Traipse, LGBT Foundation (Hornet), Fainin, License.rocks, Radmule, Twilala, Touriocity, and Rlay.

We also created an economy “Bounty Coin” on OST KIT Mainnet Alpha 1 and staked 300,000 OST to mint approximately one million Bounty Coin on a utility chain.

We are looking for vulnerabilities in the areas listed under the bounty scope below.

Awards

300,000 OST — Awarded to the contestant who can manage to transfer tokens from the Simple Stake Contract address to an unintended wallet.

100,000 OST — Awarded for reporting the vulnerability (described above) with a detailed description and step-by-step process for reproducing the challenge.

10,000+ OST — Awarded to eligible bug and vulnerabilities submissions. There are no limits to the number of rewards and individuals can earn multiple rewards by submitting qualifying bugs and vulnerabilities.

Eligible Reports

A vulnerability that allows for the transfer of the staked OST on Ethereum Mainnet to an unintended address.

A vulnerability that allows users to transfer Bounty Coins placed in the OST KIT Mainnet Alpha 1 account to an unintended address.

A vulnerability which can be exploited to bring down or take control of the OST KIT user’s account without direct access to the machine. Extensive DDOS attacks excluded.

A vulnerability that would result in any of the services (KIT, API, VIEW) being unusable for users. Extensive DDOS attacks excluded.

A vulnerability that compromises the contract behavior and allows unintended transfer of tokens.

A vulnerability that compromises private keys of addresses managed by OST KIT.

A vulnerability relating to technology built by OST over OpenST Protocol 0.9.2

Any vulnerability that compromises the data APIs of OST VIEW

A vulnerability that allows users to obtain access to other user’s API Keys.

Bounty Scope

We would like to learn about security bugs and vulnerabilities in the following areas:

Out of Bounty Scope

Any domain or property of OST not listed in the targets section is out of scope including but not limited to OST websites (ost.com, view.ost.com, kit.ost.com) and OST KIT UI issues.

Prerequisites

You can find the Utility Chain Syncing script here.

Here is a list of the value chain contract addresses:

• Simple Stake for OST Prime: 0x5caaaee865f994bef3421507a278b42c5e26643a • Simple Stake for Bounty Coin: 0x5fBfEDE90ff3799F466A1997bA68B4fa18e82956 • OpenSTValue: 0x62EDb11263cD775D549a9d9E38980014DBbFdeDD • Value Core Contract: 0xf8530666572C3CA966247Cc39C4f60bE37A5c168 • Value Registrar: 0xD184c79481774A4c2Ea2DAD4d14F9C6396e17C65 • Simple Token Contract Address: 0x2C4e8f2D746113d0696cE89B35F0d8bF88E0AEcA

Utility Chain Contract Addresses: