This article has been updated to reflect OpenSea's transition to BugCrowd. The BugCrowd program can be accessed at https://bugcrowd.com/opensea.

At OpenSea, we’re on a mission to build the world’s most trusted and inclusive NFT marketplace – and a key aspect of “trust” implies knowing and understanding our technical vulnerabilities, so we can anticipate and prevent attacks from ever happening in the first place.  Luckily for us, OpenSea has a vibrant community of passionate and highly skilled users who we’ve partnered with to develop OpenSea’s Bug Bounty Program!

This program has existed informally for some time, and we brought on HackerOne in October 2021 to help us formalize it. Today, with our continued growth and visibility, we’re now ready to make the program public and expand the participation to anyone wanting to make a meaningful security impact on OpenSea. As we scale the program, we’re focused on empowering our community members to identify and flag any security vulnerabilities so the OpenSea team can act quickly to review and patch improvements to our site.

Since its launch, OpenSea’s Bug Bounty program has allowed us to quickly address vulnerabilities, improve our defenses, and help keep our platform secure alongside our own teams’ efforts. Engagement has been tremendous – and since May of 2020, we’ve resolved and paid bounty for more than 25 proven vulnerability reports.

How it Works

In exchange for vulnerability reports, we will be providing rewards in a tiered model based on the severity of the issue reported. The bounties range between $500 and $50,000, depending on the severity of the vulnerability and impact. All bounties are subject to be paid out at higher rates at the discretion of the OpenSea team depending on severity of the reported vulnerability.

When we receive a report, we commit to responding to and triaging new bug bounty submissions in less than 4 days, issuing bounties for confirmed vulnerabilities in less than 25 days, and resolving any proven vulnerabilities as quickly as possible.

OpenSea is committed to a true partnership with the community to find and resolve any vulnerabilities that might exist on our platform. Every report will be reviewed by a security expert and responded to in a timely fashion – we deeply appreciate the effort and vigilance of those who contribute! You can find more about the bug bounty policy and how to report issues at OpenSea’s HackerOne page: https://hackerone.com/opensea