SECURITY
Bug bounty program.
$50–$10,000 per validated vulnerability. Auto-paid via /v1/bounty/auto-triage.
Scope
- openheab.com and *.openheab.com
- operator.js source code
- SDKs: TypeScript, Python, and any official mobile SDK once shipped
Out of scope
- Social engineering of OpenHeab employees
- Physical attacks against datacenters
- Self-XSS, missing security headers without a working PoC
- Automated scanner output without manual validation
Payouts (in OpenHeab wallet credit; convertible)
| Severity | Payout |
|---|---|
| Low | $50 |
| Medium | $500 |
| High | $2,500 |
| Critical (auth bypass, audit-chain forge, key extraction) | $10,000 |
How to report
Email security@openheab.com, or POST to /v1/bounty/auto-triage. Auto-triage handles the first cut; critical findings escalate to the DAO multisig.
Hall of Fame
View the public hall of fame →
security.txt
Standard RFC 9116 security.txt at /.well-known/security.txt.