Here I cover the scope of the public bug bounty of Octopus Network. Aside from audits to our most critical contracts, Octopus Network agrees that ongoing security programs are necessary. By incentivizing security analysts we protect the critical assets of Octopus Network, the smart contracts on NEAR Protocol that make up our core business logic.
If you read through the bounty details, you’ll find that a vulnerability alone isn’t enough to earn a reward. Proof of the impact on devnet is not an easy thing to provide, but it is a standard part of public bounty programs, to reproduce the issue under fair conditions.
Moreover, this bounty is issued by our partner ImmuneFi. The conditions of a valid bounty/reward are to be determined by ImmuneFi, and not by Octopus Network itself. Because of the nature of the open web and/or web3, Octopus Network decided not to set a requirement for KYC; this means an anonymous actor could receive a qualified bounty without providing personal identifying information.