Orderly Network: Bug Bounty Program

No technology is perfect and Orderly Network believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web applications and API. Good luck, and happy hunting!

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority.

The final bounty will be the Base Bounty +Special Bonus (if any)

type	Category	Maximum Rewards	Notes
P1	Remote Code Execution (RCE)	$10,000	The ability to execute arbitrary system commands on a remote server with no circumstances beyond the attacker’s control will qualify for a maximum reward.
P1	Server Side Request Forgery (SSRF)	$6000 – $9000	The ability to make arbitrary network requests within Orderly Network’s internal network and read sensitive data would qualify for a maximum reward. Factors that may limit severity include: Blind SSRF (unable read data or only certain file types, like images) and Limited to the type of requests that can be made (e.g. POST only).
P1	SQL Injection	$6000 – $9000
P1	Sensitive File Access	$6000 – $9000
P2	Account takeover	$2000 – $4000	The maximum reward is reserved for account takeover vulnerabilities that require no user interaction.
P2	Logic flaw	$2000 – $4000	This includes (non-exhaustive) ways to exploit the fact that the application does not behave as expected, such as: Changing/altering of parameters that results in unintended behavior (Eg: IDOR) or Bypassing paywall, approval process, business workflow within the application or Bypassing authentication mechanism.
P3	Cross-Site Scripting (XSS)	$1000 - $2000	XSS vulnerabilities are limited to a base reward of $1,000. If you can access sensitive data, you may also be eligible for the PII bonus. If the XSS can be escalated to a more severe vulnerability, it will be evaluated under that category.
P3	CSRF	$1000 - $2000
P4	Other valid vulnerabilities	$200 - $1500

Bonus rewards in addition to base bounties:

Type	Bonus amount
Special Bonus	Up to $5000

Report Assessment and Bounty Calculations

1) Base Bounty Maximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.

2) Other rewards: Special Bonus This category is for rewarding special contributions. This is entirely up to the Orderly Network Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. Reports that qualify based on the below will have their bounty increased up to $5,000.

A few examples of things we will be looking for are:

• Novel and innovative approach and exploit
• Creative chaining of exploits
• Easy to understand report and good description root cause of issue
• Vulnerabilities that could undermine the safety of any user or validator's fund/fee
• Vulnerabilities related to key generation, encryption, decryption, signing and verification
• Remote leaks of unencrypted private keys / mnemonic / key seed
• Vulnerabilities that could severely undermine trading or token economy.

Examples of issues that we are looking for:

• Vulnerabilities that can cause a loss of user funds/assets remotely
• Vulnerabilities that can cause exposure of private keys or mnemonic seed phrase remotely
• Vulnerabilities in chain-related implementations
• Denial of service of the wallet app
• Remote code execution
• Insecure cryptographic implementation for sensitive functions such as wallet generation, transaction signing etc.

Out-of-scope Vulnerabilities

Non-Qualifying Vulnerabilities in the Orderly Network

• Theoretical vulnerabilities without actual proof of concept
• Email verification deficiencies, expiration of password reset links, and password complexity policies
• Clickjacking/UI redressing with minimal security impact
• Email enumeration (E.g. the ability to identify emails via password reset)
• Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
• Self-XSS
• Spamming
• Usability issues
• Vulnerabilities only exploitable on out-of-date browsers or platforms
• Reports from automated tools or scans, without exploitability demonstration
• Vulnerabilities related to autofill web forms
• Use of known vulnerable libraries without actual proof of concept
• Lack of security flags in cookies
• Issues related to unsafe SSL/TLS cipher suites or protocol version
• Content spoofing
• Cache-control related issues
• Exposure of internal IP address or domains
• Missing security headers that do not lead to direct exploitation
• Vulnerabilities that require physical access to a user's device
• Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)

- DNS takeover(Subdomain takeover)

Testing is only authorized on the targets listed as in scope. Any domain/property of Orderly Network} not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to Orderly Network, you can report it to this program. However, be aware that it is ineligible for rewards or points-based compensation.

---