[{"id":3684462,"new_policy":"OpenSea is building the most trusted and inclusive NFT marketplace with the best selection.  Trust, safety and security are core areas of focus, which means that finding and eliminating vulnerabilities is a top priority. We value our partnership with the vulnerability hunting community, and as such we ensure all reports are reviewed by security experts and acted upon appropriately.\n\n# Response Targets\nOpenSea and its affiliates will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 4 days |\n| Time to Triage | 4 days |\n| Time to Resolution | depends on severity and complexity |\n| Time to Bounty (After Resolution) | 25 days |\n\nWe try to be transparent and will take steps to actively keep reporters in the loop regarding the progress of their report throughout the process.\n\nA vulnerability report will be considered resolved when any actual vulnerability has been fully addressed and no further action is required by OpenSea to resolve the vulnerability.\n\n# Program Rules\nPlease carefully review these rules, as they will govern any report you submit.\n\n## Reports\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward. Please consider (1) attack scenario / exploitability, and (2) security impact of the vulnerability.\n\n* Researchers may only submit one vulnerability per report, unless there is a need to chain vulnerabilities to provide impact.\n* When multiple researchers identify and report the same underlying issue, OpenSea will award any applicable bounty to the first eligible report that was received.\n* Vulnerabilities that OpenSea is aware of already will not be rewarded.\n* Reports that identify multiple vulnerabilities caused by one underlying issue will be awarded at most one bounty.\n* Issues identified by a reporter will be paid at most only once, even if the same issue can be exploited on multiple in-scope assets or on contracts deployed across multiple chains.\n\n## Searching for Potential Vulnerabilities:\n* Researchers may not impact production systems in a negative way for any testing.\n* All opensea.io testing and research should be conducted on testnets.opensea.io.\n* All smart contract testing should be done with a forked local copy of mainnet.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder. \n* Failure to adhere to any of the terms in this section will make you ineligible for a bug bounty reward. \n\n# Out of scope vulnerabilities\n\n### The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.\n* Attacks requiring MITM or physical access or control over a user's device. This specifically means that client-side manipulation of Javascript is excluded without a demonstration of how to manipulate the Javascript remotely.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate limiting or bruteforce issues on non-authentication endpoints.\n* Denial of service attacks (DDOS/DOS).\n* Missing HttpOnly or Secure flags on cookies.\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).\n* Software version disclosure / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public zero-day vulnerabilities that have had an official patch for less than 1 month.  While outside the scope of the official bug bounty program, OpenSea may still review these vulnerabilities, and may provide monetary awards at OpenSea’s sole discretion.\n* Vulnerabilities that were publicly disclosed in any manner, prior to OpenSea receiving the report, and vulnerabilities of which OpenSea was otherwise already aware.\n* Open redirect - may be eligible if it is part of a chain of issues, but not as a standalone issue.\n* Clickjacking within an NFT displayed on OpenSea.\n* Javascript execution on openseauserdata.com is expected. To be considered in scope, you will need to demonstrate how it harms users on inscope assets.\n* Wallet vulnerabilities - these should be reported to the respective wallets themselves.\n* Copycat/copymint detection bypass - we are happy to have these reported but we are not providing rewards for them.\n* All user wallet content such as NFTs owned, historical transactions, wallet balances, etc., are not considered confidential. Features of the website that allow accessing this content for another user is expected.\n* Vulnerabilities reported by the same researcher to other entities either before or after their report to OpenSea.\n* Vulnerabilities in code that is not fully deployed and in use in a mainnet or mainnet equivalent production code path.\n* Vulnerabilities that require the victim to be using a wallet that is not one of: \n  * MetaMask\n  * Coinbase Wallet\n  * Ledger\n  * Phantom\n  * Bitkeep\n  * Kaikas\n  * Ledger\n  * Glow\n  * Solflare\n  * Venly\n  * OperaTouch\n  * Trust\n  * WalletConnect\n\n\n# Disclosure Policy\nTo ensure that any disclosure of vulnerabilities happens in a responsible manner, do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.  Failure to adhere to the Disclosure Policy will result in the forfeiture of any eligible reward. \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you for such authorized conduct.\n\nThank you for helping keep OpenSea and the NFT community safe!\n\n# Bounty Amount Discretion\n\nVulnerability reports that are (i) in-scope, (ii) comply with OpenSea’s bug bounty policy, (iii) comply with the HackerOne terms and conditions, and (iv) meet a baseline level of utility to OpenSea because the vulnerability is exploitable and impacts security will be rewarded a minimum of the “Low” reward amount in the corresponding asset category. Rewards for “Medium”, “High”, or “Critical” severity scores are at OpenSea’s sole discretion and OpenSea is not obligated to pay any of these amounts. \n\n# Dispute Resolution\n* If you have any dispute about application of OpenSea’s bug bounty program, you must first attempt to resolve the dispute in good faith through HackerOne’s mediation process.\n* If after completion of HackerOne’s mediation process, a dispute still exists, you agree to engage in good-faith efforts to resolve such dispute prior to initiating formal legal action. You must initiate this dispute resolution process by sending a letter describing the nature of your claim and desired resolution to: OpenSea, Attn: Legal Department, 228 Park Avenue South, #22014, New York, NY 10003. You agree to meet and confer personally, by telephone, or by videoconference (hereinafter “Conference”) to discuss the dispute and attempt in good faith to reach a mutually beneficial outcome that avoids the expenses of further legal process. If you are represented by counsel, your counsel may participate in the Conference as well, but you agree to fully participate in the Conference. Likewise, if OpenSea is represented by counsel, its counsel may participate in the Conference as well, but OpenSea agrees to have a company representative fully participate in the Conference. The statute of limitations and any filing fee deadlines shall be tolled while the parties engage in the informal dispute resolution process and Conference required by this paragraph. If the parties do not reach agreement to resolve the dispute within thirty (30) days after initiation of this dispute resolution process, either party may commence formal legal action.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-08T19:59:04.426Z"},{"id":3681870,"new_policy":"OpenSea is building the most trusted and inclusive NFT marketplace with the best selection.  Trust, safety and security are core areas of focus, which means that finding and eliminating vulnerabilities is a top priority. We value our partnership with the vulnerability hunting community, and as such we ensure all reports are reviewed by security experts and acted upon appropriately.\n\n# Response Targets\nOpenSea will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 4 days |\n| Time to Triage | 4 days |\n| Time to Bounty (Pending Resolution) | 25 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe try to be transparent and will take steps to actively keep reporters in the loop regarding the progress of their report throughout the process.\n\n# Program Rules\n\n## Reports\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward. Please consider (1) attack scenario / exploitability, and (2) security impact of the bug.\n\n* Researchers may only submit one vulnerability per report, unless there is a need to chain vulnerabilities to provide impact.\n* When multiple researchers identify and report the same underlying issue, OpenSea will award any applicable bounty to the first report that was received.\n* Reports that identify multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Issues identified by a reporter will be paid only once, even if the contracts may be deployed across many chains.\n\n## Searching for Potential Vulnerabilities:\n* Researchers may not impact production systems in a negative way for any testing\n* All opensea.io testing and research should be conducted on *testnets.opensea.io*. \n* All smart contract testing should be done with a forked local copy of mainnet\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n# Out of scope vulnerabilities\n\n### The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device. This specifically means that client-side manipulation of Javascript is excluded without a demonstration of how to manipulate the Javascript remotely.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - this can be used as part of a chain of issues, but not as a standalone issue. \n* Clickjacking within an NFT displayed on OpenSea\n* Javascript execution on `openseauserdata.com` is expected. To be considered in scope you need to demonstrate how that harms users or our systems on opensea.io\n* Wallet vulnerabilities - these should be reported to the respective wallets themselves. \n* Copycat/copymint detection bypass - happy to have these reported but we are not rewarding for them\n* All user wallet content such as NFTs owned, historical transactions, wallet balances, etc are not considered confidential. Features of the website that allow accessing this content on another user is expected.\n\n\n# Disclosure Policy\nDo not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. \n\nThank you for helping keep OpenSea and the NFT community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-10T20:18:58.374Z"},{"id":3680819,"new_policy":"OpenSea is building the most trusted and inclusive NFT marketplace with the best selection.  Trust, safety and security are core areas of focus, which means that finding and eliminating vulnerabilities is a top priority. We value our partnership with the vulnerability hunting community, and as such we ensure all reports are reviewed by security experts and acted upon appropriately.\n\n# Response Targets\nOpenSea will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 4 days |\n| Time to Triage | 4 days |\n| Time to Bounty (Pending Resolution) | 25 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe try to be transparent and will take steps to actively keep reporters in the loop regarding the progress of their report throughout the process.\n\n# Program Rules\n\n## Reports\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward. Please consider (1) attack scenario / exploitability, and (2) security impact of the bug.\n\n* Researchers may only submit one vulnerability per report, unless there is a need to chain vulnerabilities to provide impact.\n* When multiple researchers identify and report the same underlying issue, OpenSea will award any applicable bounty to the first report that was received.\n* Reports that identify multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Issues identified by a reporter will be paid only once, even if the contracts may be deployed across many chains.\n\n## Searching for Potential Vulnerabilities:\n* Researchers may not impact production systems in a negative way for any testing\n* All opensea.io testing and research should be conducted on *testnets.opensea.io*. \n* All smart contract testing should be done with a forked local copy of mainnet\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n# Out of scope vulnerabilities\n\n### The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device. This specifically means that client-side manipulation of Javascript is excluded without a demonstration of how to manipulate the Javascript remotely.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - this can be used as part of a chain of issues, but not as a standalone issue. \n* Clickjacking within an NFT displayed on OpenSea\n* Javascript execution on `openseauserdata.com` is expected. To be considered in scope you need to demonstrate how that harms users or our systems on opensea.io\n* Wallet vulnerabilities - these should be reported to the respective wallets themselves. \n* Copycat/copymint detection bypass - happy to have these reported but we are not rewarding for them\n\n# Disclosure Policy\nDo not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. \n\nThank you for helping keep OpenSea and the NFT community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-08T15:16:21.224Z"},{"id":3679599,"new_policy":"OpenSea is building the most trusted and inclusive NFT marketplace with the best selection.  Trust, safety and security are core areas of focus, which means that finding and eliminating vulnerabilities is a top priority. We value our partnership with the vulnerability hunting community, and as such we ensure all reports are reviewed by security experts and acted upon appropriately.\n\n# Response Targets\nOpenSea will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 4 days |\n| Time to Triage | 4 days |\n| Time to Bounty (Pending Resolution) | 25 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe try to be transparent and will take steps to actively keep reporters in the loop regarding the progress of their report throughout the process.\n\n# Program Rules\n\n## Reports\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward. Please consider (1) attack scenario / exploitability, and (2) security impact of the bug.\n\n* Researchers may only submit one vulnerability per report, unless there is a need to chain vulnerabilities to provide impact.\n* When multiple researchers identify and report the same underlying issue, OpenSea will award any applicable bounty to the first report that was received.\n* Reports that identify multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Issues identified by a reporter will be paid only once, even if the contracts may be deployed across many chains.\n\n## Searching for Potential Vulnerabilities:\n* Researchers may not impact production systems in a negative way for any testing\n* All opensea.io testing and research should be conducted on *testnets.opensea.io*. \n* All smart contract testing should be done with a forked local copy of mainnet\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n# Out of scope vulnerabilities\n\n### The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device. This specifically means that client-side manipulation of Javascript is excluded without a demonstration of how to manipulate the Javascript remotely.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - this can be used as part of a chain of issues, but not as a standalone issue. \n* Clickjacking within an NFT displayed on OpenSea\n* Javascript execution on `openseauserdata.com` is expected. To be considered in scope you need to demonstrate how that harms users or our systems on opensea.io\n* Wallet vulnerabilities - these should be reported to the respective wallets themselves. \n\n# Disclosure Policy\nDo not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. \n\nThank you for helping keep OpenSea and the NFT community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-07T16:49:17.449Z"},{"id":3674019,"new_policy":"OpenSea strives to be the most trustworthy and secure marketplace for NFTs. Finding and eliminating current vulnerabilities is a top priority. OpenSea highly values our partnership with the vulnerability hunting community and as such we ensure all reports are reviewed by security experts and acted upon appropriately.\n\n# Response Targets\nOpenSea will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 4 days |\n| Time to Triage | 4 days |\n| Time to Bounty (Pending Resolution) | 25 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe are transparently and will actively keep reporters in the loop of progress throughout the process.\n\n# Disclosure Policy\n* Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Do not impact production systems in a negative way for any testing\n* All opensea.io testing and research should be conducted on *testnets.opensea.io*. \n* All smart contract testing should be done with a forked local copy of mainnet\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Broken external links\n* Clickjacking within an NFT displayed on OpenSea\n* Javascript execution on `openseauserdata.com` is expected. To be considered in scope you need to demonstrate how that harms users or our systems on opensea.io\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. \n\nThank you for helping keep OpenSea and the NFT community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-08T19:46:43.466Z"},{"id":3674018,"new_policy":"OpenSea strives to be the most trustworthy and secure marketplace for NFTs. Finding and eliminating current vulnerabilities is a top priority. OpenSea highly values our partnership with the vulnerability hunting community and as such we ensure all reports are reviewed by security experts and acted upon appropriately.\n\n# Response Targets\nOpenSea will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 4 days |\n| Time to Triage | 4 days |\n| Time to Bounty (Pending Resolution) | 25 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe are transparently and will actively keep reporters in the loop of progress throughout the process.\n\n# Disclosure Policy\n* Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Do not impact production systems in a negative way for any testing\n* All testing and research should be conducted on *testnets.opensea.io*\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Broken external links\n* Clickjacking within an NFT displayed on OpenSea\n* Javascript execution on `openseauserdata.com` is expected. To be considered in scope you need to demonstrate how that harms users or our systems on opensea.io\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. \n\nThank you for helping keep OpenSea and the NFT community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-08T19:44:05.524Z"},{"id":3671001,"new_policy":"OpenSea strives to be the most trustworthy and secure marketplace for NFTs. Finding and eliminating current vulnerabilities is a top priority. OpenSea highly values our partnership with the vulnerability hunting community and as such we ensure all reports are reviewed by security experts and acted upon appropriately.\n\n# Response Targets\nOpenSea will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 4 days |\n| Time to Triage | 4 days |\n| Time to Bounty (Pending Resolution) | 25 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe are transparently and will actively keep reporters in the loop of progress throughout the process.\n\n# Disclosure Policy\n* Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Do not impact production systems in a negative way for any testing\n* All testing and research should be conducted on *testnets.opensea.io*\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Broken external links (collection or profile social links)\n* Clickjacking within an NFT displayed on OpenSea\n* Javascript execution on `openseauserdata.com` is expected. To be considered in scope you need to demonstrate how that harms users or our systems on opensea.io\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. \n\nThank you for helping keep OpenSea and the NFT community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-09T19:17:14.402Z"},{"id":3670659,"new_policy":"OpenSea strives to be the most trustworthy and secure marketplace for NFTs. Finding and eliminating current vulnerabilities is a top priority. OpenSea highly values our partnership with the vulnerability hunting community and as such we ensure all reports are reviewed by security experts and acted upon appropriately.\n\n# Response Targets\nOpenSea will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 4 days |\n| Time to Triage | 4 days |\n| Time to Bounty (Pending Resolution) | 25 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe are transparently and will actively keep reporters in the loop of progress throughout the process.\n\n# Disclosure Policy\n* Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Do not impact production systems in a negative way for any testing\n* All testing and research should be conducted on *testnets.opensea.io*\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Broken external links (collection or profile social links)\n* Clickjacking within an NFT displayed on OpenSea\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. \n\nThank you for helping keep OpenSea and the NFT community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-02T20:08:02.196Z"},{"id":3667016,"new_policy":"OpenSea strives to be the most trustworthy and secure marketplace for NFTs. Finding and eliminating current vulnerabilities is a top priority. OpenSea highly values our partnership with the vulnerability hunting community and as such we ensure all reports are reviewed by security experts and acted upon appropriately.\n\n# Response Targets\nOpenSea will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 4 days |\n| Time to Triage | 4 days |\n| Time to Bounty (Pending Resolution) | 25 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe are transparently and will actively keep reporters in the loop of progress throughout the process.\n\n# Disclosure Policy\n* Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Do not impact production systems in a negative way for any testing\n* All testing and research should be conducted on *testnets.opensea.io*\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Broken external links (collection or profile social links)\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. \n\nThank you for helping keep OpenSea and the NFT community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-24T21:39:34.815Z"},{"id":3666364,"new_policy":"OpenSea strives to be the most trustworthy and secure marketplace for NFTs. Finding and eliminating current vulnerabilities is a top priority. OpenSea highly values our partnership with the vulnerability hunting community and as such we ensure all reports are reviewed by security experts and acted upon appropriately.\n\n# Response Targets\nOpenSea will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 4 days |\n| Time to Triage | 4 days |\n| Time to Bounty | 25 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe are transparently and will actively keep reporters in the loop of progress throughout the process.\n\n# Disclosure Policy\n* Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Do not impact production systems in a negative way for any testing\n* All testing and research should be conducted on *testnets.opensea.io*\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Broken external links (collection or profile social links)\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. \n\nThank you for helping keep OpenSea and the NFT community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-10T20:20:42.415Z"},{"id":3664424,"new_policy":"OpenSea strives to be the most trustworthy and secure marketplace for NFTs. Finding and eliminating current vulnerabilities is a top priority. OpenSea highly values our partnership with the vulnerability hunting community and as such we ensure all reports are reviewed by security experts and acted upon appropriately.\n\n# Response Targets\nOpenSea will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 4 days |\n| Time to Triage | 4 days |\n| Time to Bounty | 25 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe are transparently and will actively keep reporters in the loop of progress throughout the process.\n\n# Disclosure Policy\n* Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Do not impact production systems in a negative way for any testing\n* All testing and research should be conducted on *testnets.opensea.io*\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. \n\nThank you for helping keep OpenSea and the NFT community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-18T16:19:38.237Z"},{"id":3664112,"new_policy":"OpenSea strives to be the most trustworthy and secure marketplace for NFTs. Finding and eliminating current vulnerabilities is a top priority. OpenSea highly values our partnership with the vulnerability hunting community and as such we ensure all reports are reviewed by security experts and acted upon appropriately.\n\n# Response Targets\nOpenSea will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 4 days |\n| Time to Triage | 4 days |\n| Time to Bounty | 25 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe are transparently and will actively keep reporters in the loop of progress throughout the process.\n\n# Disclosure Policy\n* Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from OpenSea.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Do not impact production systems in a negative way for any testing\n* All testing and research should be conducted on *testnets.opensea.io*\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access or control over a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Denial of service attacks (DDOS/DOS)\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. \n\nThank you for helping keep OpenSea and the NFT community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-10T17:10:04.928Z"}]