Blockchain : OST Mainnet Bounty: Earn 400k+ OST Tokens For Reporting Security Vulnerabilities
We want to ensure our partners can rely on OST blockchain technology to launch their own Branded Token and manage token economies. Therefore, the security of OST technology and all OST-powered crypto assets is a top priority. We are launching our first Mainnet bounty program with more than 400,000 OST available for eligible vulnerability reports.
**This bounty challenges any participant to find a security vulnerability that allows him/her to transfer OST that is staked on Ethereum Mainnet to any unintended address.** Additional bounties are available for eligible vulnerability submissions with a detailed step-by-step report on how to reproduce the challenge. We will evaluate each reported security issue and will award tokens based on the severity of each verified vulnerability.
**Last week, we launched the first version of** [**OST KIT**](https://kit.ost.com/) **on Mainnet** — our developer toolkit for staking OST and minting Branded Tokens. 12 OST partners staked real OST and minted Branded Tokens on Mainnet: [Unsplash](https://mainnetview.ost.com/chain-id/1412/tokendetails/0xa2d39aafab12d2f71df6d2f90f69f3319016184a), [Gushcloud](https://mainnetview.ost.com/chain-id/1412/tokendetails/0x6d1ebbca8c99ea19c204dde86bdc1fb6e555d56c), [Connectscale](https://mainnetview.ost.com/chain-id/1412/tokendetails/0x71e446f536d0f3e4df70970d6aea1a681b43ad12), [Tribecoin](https://mainnetview.ost.com/chain-id/1412/tokendetails/0x749121c777b86dc8176b8b54744c72d8a95a162b), [Traipse](https://mainnetview.ost.com/chain-id/1412/tokendetails/0x856a539f5752d9f8d20a8a982a2d2a78efd0a2d6), [LGBT Foundation (Hornet)](https://mainnetview.ost.com/chain-id/1412/tokendetails/0xde8d90469dd13ffc088d6e0f333e554ba85cad65), [Fainin](https://mainnetview.ost.com/chain-id/1412/tokendetails/0xcf70142bf71baf0fb83eecc29b412b452b011314), [License.rocks](https://mainnetview.ost.com/chain-id/1412/tokendetails/0x0a3d0dbfda154187a0cd27fa4d398ccc6a97dbf9), [Radmule](https://mainnetview.ost.com/chain-id/1412/tokendetails/0x6a54f0a754e8540e658bef007a32d807ef664a70), [Twilala](https://mainnetview.ost.com/chain-id/1412/tokendetails/0xc9d145bad104667782c42a878ae682c5396180e1), [Touriocity](https://mainnetview.ost.com/chain-id/1412/tokendetails/0x91a712eeb314410066ffa122f8d2e510ad6a847f), and [Rlay](https://mainnetview.ost.com/chain-id/1412/tokendetails/0x6824068d83e1072f425b810b1befec55504189b6).
#### We also created an economy “[Bounty Coin](https://mainnetview.ost.com/chain-id/1412/tokendetails/0xbe5b185bb0fc7493a168da19f576e482b6444c19)” on OST KIT Mainnet Alpha 1 and staked 300,000 OST to mint approximately one million Bounty Coin on a utility chain.
We are looking for vulnerabilities in the areas listed under the bounty scope below.
* 300,000 OST — Awarded to the contestant who can manage to transfer tokens from the Simple Stake Contract address to an unintended wallet.
* 100,000 OST — Awarded for reporting the vulnerability (described above) with a detailed description and step-by-step process for reproducing the challenge.
* 10,000+ OST — Awarded to eligible bug and vulnerabilities submissions. There are no limits to the number of rewards and individuals can earn multiple rewards by submitting qualifying bugs and vulnerabilities.
#### Eligible Reports
* A vulnerability that allows for the transfer of the staked OST on Ethereum Mainnet to an unintended address.
* A vulnerability that allows users to transfer Bounty Coins placed in the OST KIT Mainnet Alpha 1 account to an unintended address.
* A vulnerability which can be exploited to bring down or take control of the OST KIT user’s account without direct access to the machine. Extensive DDOS attacks excluded.
* A vulnerability that would result in any of the services (KIT, API, VIEW) being unusable for users. Extensive DDOS attacks excluded.
* A vulnerability that compromises the contract behavior and allows unintended transfer of tokens.
* A vulnerability that compromises private keys of addresses managed by OST KIT.
* A vulnerability relating to technology built by OST over OpenST Protocol 0.9.2
* Any vulnerability that compromises the data APIs of OST VIEW
* A vulnerability that allows users to obtain access to other user’s API Keys.
#### Bounty Scope
We would like to learn about security bugs and vulnerabilities in the following areas:
1. OpenST Protocol 0.9.2 Smart Contracts and node.js packages including [Mosaic Contracts and Tree Release AM1](https://github.com/OpenSTFoundation/mosaic-contracts/tree/release-am1), [OpenST AM1](https://github.com/OpenSTFoundation/openst-am1), [OpenST Payments](https://github.com/OpenSTFoundation/openst-payments), and [OST Price Oracle](https://github.com/OpenSTFoundation/ost-price-oracle).
2. OST KIT including [Mainnet KIT](https://mainnetkit.ost.com/)
3. OST API including [Mainnet API v1.1](https://mainnetapi.ost.com/v1.1) and [Mainnet Dev](https://mainnetdev.ost.com/)
4. OST VIEW including [Mainnet View](https://mainnetview.ost.com/) and [OpenST Explorer](https://github.com/OpenSTFoundation/openst-explorer)
#### Out of Bounty Scope
Any domain or property of OST not listed in the targets section is out of scope including but not limited to OST websites ([ost.com](https://ost.com/), [view.ost.com](https://view.ost.com/), [kit.ost.com](https://kit.ost.com/)) and OST KIT UI issues.
You can find the Utility Chain Syncing script [here](https://s3.amazonaws.com/assets.simpletoken.com/scripts/setup_uc_1412_node.sh).
#### Here is a list of the value chain contract addresses:
• Simple Stake for OST Prime: 0x5caaaee865f994bef3421507a278b42c5e26643a
• Simple Stake for Bounty Coin: 0x5fBfEDE90ff3799F466A1997bA68B4fa18e82956
• OpenSTValue: 0x62EDb11263cD775D549a9d9E38980014DBbFdeDD
• Value Core Contract: 0xf8530666572C3CA966247Cc39C4f60bE37A5c168
• Value Registrar: 0xD184c79481774A4c2Ea2DAD4d14F9C6396e17C65
• Simple Token Contract Address: 0x2C4e8f2D746113d0696cE89B35F0d8bF88E0AEcA
#### Utility Chain Contract Addresses:
• OpenSTUtility Contract: 0x37D014adb3D52e132877F6Feca00b81e95544C8C
• Utility Registrar Contract Address: 0xA46a92067322d8a060eeB13B2c184639D3C87816
• Bounty Coin Branded Token Address: 0xbe5b185bb0fc7493a168da19f576e482b6444c19
• Price Oracle Contract Address: 0x1e6e9EF185aD2f1dcAFA263f26DecA1FAC64603c
• OST Prime Contract Address: 0x7Ae71fE9e16A0AEEA63933cf4EB88f6c24A9723B
### Bounty Rules
* No spam or distributed denial of service (DDOS) attacks.
* No violations of the privacy of other users or destruction of data.
* No disclosing of vulnerabilities to the public. Participants **must** report vulnerabilities to OST only, as described in this post. Participants must allow for a reasonable response time from OST.
* Vulnerabilities which have already been submitted or are already known to OST are not eligible. **Once the OST team has confirmed the presence of the vulnerability and is prepared to publish information to help mitigate the risk, we will list the vulnerability submissions** [**here**](https://help.ost.com/support/discussions/forums/35000250252)**.**
* Any employees of OST is not eligible to participate.
* Any party (including but not limited to an individual, employee, consultant or company) working directly or indirectly on behalf of/for OST is not eligible to participate in the OST Mainnet Bounty Challenge.
* Anyone engaged to review or audit OST code in exchange for remuneration is not eligible to participate.
* OST may cancel this program at any point in time at its sole discretion.
* Awards are at the discretion of the OST team.
* Each bug or vulnerability will be considered for an award only once.
* Rewards are not available to users from [countries subject to OFAC sanctions](https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx).
Submit any eligible bug or vulnerability via [email@example.com](mailto:firstname.lastname@example.org). Contact [email@example.com](mailto:firstname.lastname@example.org) with any questions. Please include the following in your submission:
1. Summary: one or two line summary of the bug or vulnerability.
2. Description: Describe the scenario. What were you trying to do? What is the possible impact? OST will be awarded to clear, well-written submissions that can help us quickly reproduce the vulnerability.
3. Product: OST KIT / OST API / OST VIEW / OpenST Protocol 0.9.2
4. Affected Files: If you found the bug or vulnerability in the open source code, please share the affected files.
5. Detailed steps to reproduce: Please include snippets of logs, test code, scripts and detailed instructions on how to reproduce the vulnerability. How would we reproduce the bug or vulnerability faster?
6. Fix: Please suggest a solution for the vulnerability.
#### The OST Mainnet Bounty Challenge will end on Sunday September 30 2018 at 1pm UTC. Bounties will be issued in October 2018.
#### About OST
[OST](https://ost.com/?utm_source=medium) blockchain infrastructure empowers new economies. OST is a public blockchain platform designed for the needs of businesses with millions of users. Launch your own Branded Tokens with OST technology and turn your business into a dynamic ecosystem. OST is built on the OpenST Protocol, a framework for building highly scalable blockchain token economies. OST has offices in Berlin, New York, Hong Kong, and Pune. For more information, please visit: [https://ost.com](https://ost.com/).
What is the Blockchain?
A block chain is a transaction database shared by all nodes participating in a system based on the Bitcoin protocol. A full copy of a currency’s block chain contains every transaction ever executed in the currency. With this information, one can find out how much value belonged to each address at any point in history.
Don’t forget to share the post if you love it !