Details

OpenSea is building the most trusted and inclusive NFT marketplace with the best selection. Trust, safety and security are core areas of focus, which means that finding and eliminating vulnerabilities is a top priority. We value our partnership with the vulnerability hunting community, and as such we ensure all reports are reviewed by security experts and acted upon appropriately.

Response Targets

OpenSea and its affiliates will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	4 days
Time to Triage	4 days
Time to Resolution	depends on severity and complexity
Time to Bounty (After Resolution)	25 days

We try to be transparent and will take steps to actively keep reporters in the loop regarding the progress of their report throughout the process.

A vulnerability report will be considered resolved when any actual vulnerability has been fully addressed and no further action is required by OpenSea to resolve the vulnerability.

Program Rules

Please carefully review these rules, as they will govern any report you submit.

Reports

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward. Please consider (1) attack scenario / exploitability, and (2) security impact of the vulnerability.

Researchers may only submit one vulnerability per report, unless there is a need to chain vulnerabilities to provide impact.
When multiple researchers identify and report the same underlying issue, OpenSea will award any applicable bounty to the first eligible report that was received.
Vulnerabilities that OpenSea is aware of already will not be rewarded.
Reports that identify multiple vulnerabilities caused by one underlying issue will be awarded at most one bounty.
Issues identified by a reporter will be paid at most only once, even if the same issue can be exploited on multiple in-scope assets or on contracts deployed across multiple chains.

Searching for Potential Vulnerabilities:

Researchers may not impact production systems in a negative way for any testing.
All opensea.io testing and research should be conducted on testnets.opensea.io.
All smart contract testing should be done with a forked local copy of mainnet.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Failure to adhere to any of the terms in this section will make you ineligible for a bug bounty reward.

Out of scope vulnerabilities

The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
Attacks requiring MITM or physical access or control over a user's device. This specifically means that client-side manipulation of Javascript is excluded without a demonstration of how to manipulate the Javascript remotely.
Previously known vulnerable libraries without a working Proof of Concept.
Rate limiting or bruteforce issues on non-authentication endpoints.
Denial of service attacks (DDOS/DOS).
Missing HttpOnly or Secure flags on cookies.
Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).
Software version disclosure / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors).
Public zero-day vulnerabilities that have had an official patch for less than 1 month. While outside the scope of the official bug bounty program, OpenSea may still review these vulnerabilities, and may provide monetary awards at OpenSea’s sole discretion.
Vulnerabilities that were publicly disclosed in any manner, prior to OpenSea receiving the report, and vulnerabilities of which OpenSea was otherwise already aware.
Open redirect - may be eligible if it is part of a chain of issues, but not as a standalone issue.
Clickjacking within an NFT displayed on OpenSea.
Javascript execution on openseauserdata.com is expected. To be considered in scope, you will need to demonstrate how it harms users on inscope assets.
Wallet vulnerabilities - these should be reported to the respective wallets themselves.
Copycat/copymint detection bypass - we are happy to have these reported but we are not providing rewards for them.
All user wallet content such as NFTs owned, historical transactions, wallet balances, etc., are not considered confidential. Features of the website that allow accessing this content for another user is expected.
Vulnerabilities reported by the same researcher to other entities either before or after their report to OpenSea.
Vulnerabilities in code that is not fully deployed and in use in a mainnet or mainnet equivalent production code path.
Vulnerabilities that require the victim to be using a wallet that is not one of:
- MetaMask
- Coinbase Wallet
- Ledger
- Phantom
- Bitkeep
- Kaikas
- Ledger
- Glow
- Solflare
- Venly
- OperaTouch
- Trust
- WalletConnect

Disclosure Policy

To ensure that any disclosure of vulnerabilities happens in a responsible manner, do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea. Failure to adhere to the Disclosure Policy will result in the forfeiture of any eligible reward.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you for such authorized conduct.

Thank you for helping keep OpenSea and the NFT community safe!

Bounty Amount Discretion

Vulnerability reports that are (i) in-scope, (ii) comply with OpenSea’s bug bounty policy, (iii) comply with the HackerOne terms and conditions, and (iv) meet a baseline level of utility to OpenSea because the vulnerability is exploitable and impacts security will be rewarded a minimum of the “Low” reward amount in the corresponding asset category. Rewards for “Medium”, “High”, or “Critical” severity scores are at OpenSea’s sole discretion and OpenSea is not obligated to pay any of these amounts.

Dispute Resolution

If you have any dispute about application of OpenSea’s bug bounty program, you must first attempt to resolve the dispute in good faith through HackerOne’s mediation process.
If after completion of HackerOne’s mediation process, a dispute still exists, you agree to engage in good-faith efforts to resolve such dispute prior to initiating formal legal action. You must initiate this dispute resolution process by sending a letter describing the nature of your claim and desired resolution to: OpenSea, Attn: Legal Department, 228 Park Avenue South, #22014, New York, NY 10003. You agree to meet and confer personally, by telephone, or by videoconference (hereinafter “Conference”) to discuss the dispute and attempt in good faith to reach a mutually beneficial outcome that avoids the expenses of further legal process. If you are represented by counsel, your counsel may participate in the Conference as well, but you agree to fully participate in the Conference. Likewise, if OpenSea is represented by counsel, its counsel may participate in the Conference as well, but OpenSea agrees to have a company representative fully participate in the Conference. The statute of limitations and any filing fee deadlines shall be tolled while the parties engage in the informal dispute resolution process and Conference required by this paragraph. If the parties do not reach agreement to resolve the dispute within thirty (30) days after initiation of this dispute resolution process, either party may commence formal legal action.

Response Targets

OpenSea and its affiliates will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	4 days
Time to Triage	4 days
Time to Resolution	depends on severity and complexity
Time to Bounty (After Resolution)	25 days

We try to be transparent and will take steps to actively keep reporters in the loop regarding the progress of their report throughout the process.

A vulnerability report will be considered resolved when any actual vulnerability has been fully addressed and no further action is required by OpenSea to resolve the vulnerability.

Reports

Researchers may only submit one vulnerability per report, unless there is a need to chain vulnerabilities to provide impact.

When multiple researchers identify and report the same underlying issue, OpenSea will award any applicable bounty to the first eligible report that was received.

Vulnerabilities that OpenSea is aware of already will not be rewarded.

Reports that identify multiple vulnerabilities caused by one underlying issue will be awarded at most one bounty.

Issues identified by a reporter will be paid at most only once, even if the same issue can be exploited on multiple in-scope assets or on contracts deployed across multiple chains.

Searching for Potential Vulnerabilities:

Researchers may not impact production systems in a negative way for any testing.

All opensea.io testing and research should be conducted on testnets.opensea.io.

All smart contract testing should be done with a forked local copy of mainnet.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Failure to adhere to any of the terms in this section will make you ineligible for a bug bounty reward.

Out of scope vulnerabilities

The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions.

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.

Attacks requiring MITM or physical access or control over a user's device. This specifically means that client-side manipulation of Javascript is excluded without a demonstration of how to manipulate the Javascript remotely.

Previously known vulnerable libraries without a working Proof of Concept.

Rate limiting or bruteforce issues on non-authentication endpoints.

Denial of service attacks (DDOS/DOS).

Missing HttpOnly or Secure flags on cookies.

Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).

Software version disclosure / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors).

Public zero-day vulnerabilities that have had an official patch for less than 1 month. While outside the scope of the official bug bounty program, OpenSea may still review these vulnerabilities, and may provide monetary awards at OpenSea’s sole discretion.

Vulnerabilities that were publicly disclosed in any manner, prior to OpenSea receiving the report, and vulnerabilities of which OpenSea was otherwise already aware.

Open redirect - may be eligible if it is part of a chain of issues, but not as a standalone issue.

Clickjacking within an NFT displayed on OpenSea.

Javascript execution on openseauserdata.com is expected. To be considered in scope, you will need to demonstrate how it harms users on inscope assets.

Wallet vulnerabilities - these should be reported to the respective wallets themselves.

Copycat/copymint detection bypass - we are happy to have these reported but we are not providing rewards for them.

All user wallet content such as NFTs owned, historical transactions, wallet balances, etc., are not considered confidential. Features of the website that allow accessing this content for another user is expected.

Vulnerabilities reported by the same researcher to other entities either before or after their report to OpenSea.

Vulnerabilities in code that is not fully deployed and in use in a mainnet or mainnet equivalent production code path.

Vulnerabilities that require the victim to be using a wallet that is not one of:

MetaMask
Coinbase Wallet
Ledger
Phantom
Bitkeep
Kaikas
Ledger
Glow
Solflare
Venly
OperaTouch
Trust
WalletConnect

Bounty Amount Discretion

Dispute Resolution

If you have any dispute about application of OpenSea’s bug bounty program, you must first attempt to resolve the dispute in good faith through HackerOne’s mediation process.

If after completion of HackerOne’s mediation process, a dispute still exists, you agree to engage in good-faith efforts to resolve such dispute prior to initiating formal legal action. You must initiate this dispute resolution process by sending a letter describing the nature of your claim and desired resolution to: OpenSea, Attn: Legal Department, 228 Park Avenue South, #22014, New York, NY 10003. You agree to meet and confer personally, by telephone, or by videoconference (hereinafter “Conference”) to discuss the dispute and attempt in good faith to reach a mutually beneficial outcome that avoids the expenses of further legal process. If you are represented by counsel, your counsel may participate in the Conference as well, but you agree to fully participate in the Conference. Likewise, if OpenSea is represented by counsel, its counsel may participate in the Conference as well, but OpenSea agrees to have a company representative fully participate in the Conference. The statute of limitations and any filing fee deadlines shall be tolled while the parties engage in the informal dispute resolution process and Conference required by this paragraph. If the parties do not reach agreement to resolve the dispute within thirty (30) days after initiation of this dispute resolution process, either party may commence formal legal action.