Bug Bounty

At Onyx, security is fundamental to our mission. We highly value the contributions of ethical hackers who help us uphold the highest standards of security across the Onyx ecosystem. While Onyx has undergone rigorous professional audits and formal verification, it operates on evolving technology that may still contain undiscovered vulnerabilities.

We encourage the community to actively audit our smart contracts and infrastructure and responsibly disclose any security concerns. This program is designed to incentivize responsible security research, outlining the expectations for ethical vulnerability disclosure and the rewards available for eligible findings.

Rewards

Onyx offers substantial rewards for vulnerabilities that could lead to the loss or freezing of assets or otherwise cause harm to users. The reward amount is determined based on the severity and exploitability of the vulnerability. Eligible discoveries may receive rewards ranging from $500 to $150,000, in accordance with the terms outlined below.

Scope

Primary Scope:

The primary focus of the bug bounty program is vulnerabilities impacting the on-hain Onyx Protocol, deployed on Ethereum Mainnet, specifically for the contract addresses listed in this developer documentation. This scope is subject to change as new contracts are deployed or existing contracts are deprecated.

Out-of-scope items include:

• Vulnerabilities in third-party contracts built on top of Onyx (e.g., smart contract wallets).

• Issues that require admin key ownership.

Secondary Scope:

The program also includes vulnerabilities affecting the Onyx Interface hosted at app.onyx.org, particularly those that could lead to unauthorized account access or asset manipulation.

Out of Scope:

• Vulnerabilities affecting test environments (Rinkeby, other testnets, and staging servers), unless they also impact the Onyx Protocol or Interface in a way that could put user funds at risk.

Disclosure Process

All vulnerability disclosures should be submitted to info@onyx.org with detailed steps for reproducing the issue. Reports may be submitted in written or video format to ensure clarity. Onyx will acknowledge all valid submissions promptly.

Eligibility Requirements

To qualify for a bounty reward, you must:

• Identify a previously unreported, original, and non-public vulnerability within the defined scope.

• Provide a detailed disclosure that enables Onyx engineers to reproduce and resolve the issue efficiently.

• Be at least 18 years old.

• Submit your report individually or with documented company approval (if submitting on behalf of an organization).

• Not be subject to U.S. sanctions or reside in a U.S.-embargoed country.

• Not be a current or former Onyx employee, vendor, contractor, or affiliate of a vendor or contractor.

Rules of Engagement

To encourage ethical security research and distinguish good-faith efforts from malicious activity, researchers must:

• Follow program terms and any other applicable agreements. If conflicts arise, the bug bounty program terms take precedence.

• Report vulnerabilities promptly.

• Avoid causing harm, including privacy violations, service disruptions, or data loss.

• Use only info@onyx.org for all communications regarding vulnerabilities.

• Maintain confidentiality regarding discovered vulnerabilities until they are patched.

• Limit testing to in-scope systems and avoid interacting with accounts not explicitly authorized for testing.

• Refrain from extortion, blackmail, or any unlawful activities.

What You Can Expect from Onyx

When engaging with Onyx under this program, we commit to:

• Offering competitive rewards for eligible findings, with payouts determined based on severity and exploitability at Onyx's discretion.

• Providing Safe Harbor for researchers who comply with program guidelines, ensuring Onyx will not pursue legal action against those acting in good faith.

• Validating and acknowledging reports promptly, including an initial response and further investigation.

• Addressing vulnerabilities in a timely manner.

• Recognizing your contributions if you are the first to report a valid vulnerability that results in a code or configuration change.

All decisions regarding eligibility, reward amounts, and payout determinations are made at Onyx’s sole discretion. Onyx reserves the right to reject submissions and modify the terms of this program at any time.