OpenSea strives to be the most trustworthy and secure marketplace for NFTs. Finding and eliminating current vulnerabilities is a top priority. OpenSea highly values our partnership with the vulnerability hunting community and as such we ensure all reports are reviewed by security experts and acted upon appropriately.

Response Targets

OpenSea will make a best effort to meet the following SLAs for hackers participating in our program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | 4 days |

| Time to Triage | 4 days |

| Time to Bounty (Pending Resolution) | 25 days |

| Time to Resolution | depends on severity and complexity |

We are transparently and will actively keep reporters in the loop of progress throughout the process.

Disclosure Policy

• Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.

• Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Do not impact production systems in a negative way for any testing

• All opensea.io testing and research should be conducted on testnets.opensea.io.

• All smart contract testing should be done with a forked local copy of mainnet

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

• Attacks requiring MITM or physical access or control over a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Rate limiting or bruteforce issues on non-authentication endpoints

• Denial of service attacks (DDOS/DOS)

• Missing HttpOnly or Secure flags on cookies

• Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

• Open redirect - unless an additional security impact can be demonstrated

• Broken external links

• Clickjacking within an NFT displayed on OpenSea

• Javascript execution on openseauserdata.com is expected. To be considered in scope you need to demonstrate how that harms users or our systems on opensea.io

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.

Thank you for helping keep OpenSea and the NFT community safe!