Security Policy
Scope
This policy covers the following repositories and their deployed contracts:
- oc-contracts: Smart contracts on EVM and SVM
- oc-sdk: TypeScript SDK and developer tooling
- oc-standard: Protocol specification
Out of scope: Operator-specific implementations, third-party integrations, social engineering, denial-of-service attacks, issues in dependencies not maintained by OpenCrown.
Reporting a Vulnerability
Email security@opencrown.org with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
Do not open a public issue for security vulnerabilities. Use the email channel for all reports.
Response Timeline
| Action | Target |
|---|---|
| Acknowledgment | 24 hours |
| Initial triage and severity classification | 72 hours |
| Fix for critical severity | 7 days |
| Fix for high severity | 14 days |
| Fix for medium severity | 30 days |
| Fix for low severity | 60 days |
| Public disclosure | 90 days after report, or when fix ships (whichever is first) |
Bounty Program
OpenCrown's bounty program scales with the protocol's treasury. We pay what we can, we commit to paying more as the protocol grows, and the allocation is transparent and verifiable.
Standing commitment: 5% of all DAO treasury inflows are earmarked for security bounties. This allocation is tracked publicly and enforced by multisig policy. When the treasury reaches sufficient size, the allocation will be enforced on-chain via a payment splitter contract routing crown fee revenue directly to a bounty multisig.
Phase 0: Responsible Disclosure (Current)
The protocol is pre-revenue. Bounties are currently limited to:
- Public recognition (with your permission) in the security advisory
- Bounty credit: when the treasury reaches Phase 1 thresholds, credited researchers are paid first, retroactively
- Invitation to the security advisory group
We do not promise bounties we cannot pay. We do promise that every valid report is tracked and credited.
Phase 1: Seed Bounty Fund
Trigger: DAO treasury reaches $5,000.
| Severity | Bounty Range | Examples |
|---|---|---|
| Critical | $500-$1,000 | Loss of funds, contract takeover, unauthorized crown creation |
| High | $250-$500 | Verification bypass, unauthorized admin actions, heartbeat manipulation |
| Medium | $100-$250 | Information disclosure, privilege escalation in SDK |
| Low | $50 | Minor information leaks, non-critical logic errors |
10% of the treasury is earmarked as the seed bounty fund.
Phase 2: Formal Program
Trigger: DAO treasury reaches $25,000.
| Severity | Bounty Range |
|---|---|
| Critical | $2,500-$5,000 |
| High | $1,000-$2,500 |
| Medium | $500-$1,000 |
| Low | $250 |
At this phase, the program will be listed on an established bug bounty platform with on-chain escrow for deposits.
Phase 3: Full Program
Trigger: DAO treasury reaches $100,000.
| Severity | Bounty Range |
|---|---|
| Critical | $10,000-$50,000 |
| High | $2,500-$10,000 |
| Medium | $1,000-$2,500 |
| Low | $500 |
The 5% treasury allocation is enforced on-chain via a payment splitter contract. Pre-upgrade security audit contests will be conducted for major protocol changes.
Severity Classification
Critical
Direct loss of funds, unauthorized crown creation or destruction, contract ownership takeover, bypass of soulbound transfer restrictions, manipulation of deal escrow.
Fix target: 7 days.
High
Verification bypass (claiming a crown without proving contract ownership), unauthorized administrative actions, heartbeat score manipulation at scale, operator registry corruption.
Fix target: 14 days.
Medium
Information disclosure of private metadata, privilege escalation in SDK or API, denial of service against the verification pipeline, cross-chain state inconsistencies.
Fix target: 30 days.
Low
Minor information leaks with no direct exploit path, non-critical logic errors, UI rendering issues that could mislead users.
Fix target: 60 days.
Automated Security Tooling
The protocol CI pipeline runs the following security tools on every commit:
- Static analysis: Slither, Mythril, Aderyn (Solidity); Clippy, cargo-audit (Rust); gosec (Go); Semgrep (cross-language SAST)
- Fuzzing: Medusa, Foundry fuzz (EVM); Trident (Solana)
- Dependency auditing: npm audit, cargo audit
These tools catch a class of issues that manual review misses. They do not replace human security research, which is why this bounty program exists.
Safe Harbor
OpenCrown provides safe harbor for good-faith security research conducted under this policy.
Good faith means:
- You report the vulnerability through the channels described above
- You do not exploit the vulnerability beyond what is necessary to demonstrate it
- You do not access, modify, or delete data belonging to other users
- You do not disclose the vulnerability publicly before the agreed timeline
- You comply with all applicable laws
We will not:
- Pursue legal action against researchers acting in good faith
- Report good-faith research to law enforcement
- Revoke access or penalize accounts used for authorized security testing
Security-Critical OCPs
Open Crown Proposals that address active security vulnerabilities may bypass the standard 14-day review period at multisig discretion. Security-critical changes are coordinated through the security advisory group before public disclosure.