🎯 What We’re Looking For

Core Trading Vulnerabilities:
  • Order matching engine exploits that could manipulate trade execution
  • Liquidation mechanism failures that could lead to unfair liquidations
  • Oracle price feed manipulation affecting asset valuations
  • Smart contract reentrancy or logic flaws in trading pairs
Infrastructure Vulnerabilities:
  • API endpoint vulnerabilities that could expose user data
  • Authentication bypasses in user account management

📝 How to Submit

Required Report Format:
  • Executive summary with impact assessment
  • Detailed technical analysis with code references
  • Step-by-step reproduction guide
  • Proof of concept demonstrating the exploit
  • Suggested mitigation strategies
Submission Process:
  1. Create a ticket in our Discord server
  2. Include “Bug Bounty Submission” in the ticket title
  3. Allow 48 hours for initial response
  4. We’ll work with you on responsible disclosure timeline

💰 Reward Categories

Critical Severity:
  • Direct loss of user funds through smart contract exploits
  • Complete trading engine compromise
  • Oracle manipulation leading to massive liquidations
  • Bridge vulnerabilities allowing fund theft
  • Violation of core protocol invariants
High Severity:
  • Partial fund loss or temporary trading suspension
  • Authentication bypasses with high impact
  • Data exposure affecting multiple users
  • Network consensus issues
  • Oracle manipulation leading to unfair liquidations
Medium Severity:
  • UI/UX vulnerabilities with security implications
  • API rate limiting bypasses
  • Minor smart contract edge cases
  • Performance issues affecting trading
  • Database injection attacks
Low Severity:
  • Informational disclosures
  • Minor configuration issues
  • Documentation improvements with security value
  • Non-critical UI/UX bugs with security implications
Rewards are determined based on severity, impact, and likelihood of occurrence.

🚫 What’s Not Allowed

  • Social engineering or phishing attempts
  • DDoS attacks (load testing is fine)
  • Testing third-party integrations we don’t control
  • Demanding ransoms or making threats
  • Public disclosure before we’ve fixed the issue
  • Exploiting bugs for personal gain beyond rewards

✅ Who Can Participate

  • Must provide clear, reproducible findings
  • Must maintain confidentiality until authorized disclosure
  • Must comply with any required KYC procedures
  • Must submit through Discord ticket system

❌ What We Won’t Reward

  • Reports without clear reproduction steps
  • Issues requiring unrealistic user behavior
  • Problems with outdated software we don’t support
  • Third-party bugs not directly affecting Ostrich
  • Non-security issues (performance, UI bugs)
  • Theoretical vulnerabilities without practical impact

📋 Our Commitment

  • We’ll respond to all submissions within 48 hours
  • We’ll work with you on responsible disclosure
  • We’ll provide clear feedback on why submissions are accepted/rejected
  • We’ll maintain transparency about program updates
  • We deeply value the security research community

🔗 Get Started

Ready to help secure the future of DeFi? Create a ticket in our Discord and start contributing to Ostrich’s security today. For questions about the bug bounty program, reach out to our security team through the Discord channel.