Security & Responsible Disclosure
Omne is a public devnet under active development. If you are a security researcher and you have found a vulnerability, this page is for you.
Report a vulnerability
Email security@omne.foundation with the details of the finding. Encrypt the report using our PGP key if the vulnerability is critical.
PGP fingerprint
48A6 2064 02D8 F641 A9E2 AFBD CFBC F690 AA76 0BE7
Public key
omne.foundation/.well-known/pgp-key.asc · keys.openpgp.org
RSA 4096-bit · expires 2028-04-22 · Omne Security <security@omne.foundation>
Response window
72 hours for initial acknowledgment
Scope
The following surfaces are in scope for responsible disclosure:
- Ignis devnet RPC —
rpc.ignis.omnechain.network - Omne node software — the
omne-nodeandomne-validatorbinaries and their dependencies - SDK —
@omne/sdkon npm - Phaylos wallet — consumer wallet published at phaylos.xyz
- This site — omne.foundation, docs.omne.foundation
Out of scope
- Reports relying on volumetric denial-of-service (rate-limiting is intentional on devnet)
- Findings on third-party dependencies without exploit paths specific to Omne
- Self-XSS and issues requiring social-engineering of the reporter
- Missing HTTP security headers without a demonstrable exploit path
- Issues already disclosed publicly or already known to the team
What we commit to
- Acknowledge receipt within 72 hours
- Keep you informed of remediation progress
- Credit you in release notes (if desired) once the issue is resolved
- Not pursue legal action against researchers acting in good faith within the scope above
Bug bounty program
Omne runs a phased bug bounty program. Ignis devnetfindings are eligible for recognition and, at the Foundation's discretion, for inaugural-program rewards once the Testum testnet brings on-chain treasury disbursement. The formal monetary program activates with the Testum testnet launch and expands at Primum mainnet.
Severity tiers
| Severity | Example class | Reward (Primum) | Reward (Testum) |
|---|---|---|---|
| Critical | Consensus break, validator-set compromise, state-root forgery, double-spend, stake theft, mass-slashing trigger, unauthorized OMC mint | TBD (target: 6-figure OMC/OGT) | TBD (lower tier) |
| High | Validator liveness attack, fee-model exploit causing supply divergence, RCE on node binary, privilege escalation in Axiom Runtime | TBD | TBD |
| Medium | DoS via malformed consensus message, P2P partitioning, mempool-based griefing, contract-level logic errors with bounded impact | TBD | TBD |
| Low | Information leakage, non-exploitable DoS with trivial mitigation, edge-case RPC errors, documentation-reachable surprises | TBD | TBD |
Reward amounts will be published in OMC and/or OGT at the Foundation's discretion once the Testum testnet treasury-disbursement surface is live. The Foundation reserves the right to adjust severity classification based on demonstrated exploit impact.
Disclosure timeline
- T + 0: you report to security@omne.foundation
- T + 72h: we acknowledge receipt and assign a tracking ID
- T + 7 days: triage complete with preliminary severity rating
- T + 30–90 days: remediation shipped to devnet, then Testum, then Primum as each network comes online
- T + 30 days post-fix:coordinated disclosure (advisory published, researcher credited if desired). Critical findings may be held for 90 days at the Foundation's discretion to allow validators to upgrade.
Hall of fame
Researchers credited for accepted findings are listed at omne.foundation/security#hall-of-fame (page populated once inaugural findings close). Credit is opt-in; researchers preferring anonymity are never named.
Rules of engagement
- Test against the public Ignis devnet only. Do not attack mainnet-designated RPC endpoints (even if reachable pre-launch).
- Do not degrade service for other testnet users. Bounded proofs-of-concept against your own accounts only.
- Do not access, modify, or exfiltrate data that is not yours. On-chain data is public; off-chain Foundation systems are not in scope.
- Do not publicly disclose a finding before the timeline above completes or 90 days elapse, whichever is first.
- One researcher per finding — duplicate reports are credited by timestamp. Collaborating researchers share credit and reward.
- Automated scanning: rate-limited only; do not trigger volumetric DoS.
Safe harbor commitment.Research performed in good faith within the rules above will not be met with legal action. Omne commits to working with researchers publicly and collaboratively — the network's resilience depends on the people who find problems before adversaries do.
Safe harbor
Testing must not intentionally harm users, the network, or its validators. Do not access accounts or data that are not yours. Do not publish a vulnerability before it is resolved or 90 days pass since report, whichever comes first. Good-faith research within these bounds is welcome.
This page will be updated as the Testum testnet and the Foundation's formal disclosure program come online. Revisions tracked in the repository.