Oceanland Testnet Bug Bounty Program

Early bird catches the worm 🐛

Early test catches the bug 🐞

We are delighted to announce the launch of Oceanland testnet program. In order to provide a better user experience, we created an attractive bounty program for bounty hunters, white hats, ethical hackers, and community users.

This bug bounty program is focused on finding eligible vulnerabilities, and security breaches. If you are not a developer or a computer geek, don’t be upset, you still have chances to grab rewards.

You are welcomed to give us your opinion about how to expand Oceanland Community all over the world. After reviewing the submissions, Oceanland technical and the market team will evaluate and rewards the best opinions. If you have any suggestions about Oceanland, please feel free to submit the feedbacks on our Discord’s #suggestions channel.

Let’s work together to make Oceanland a great P2E game!

How to Join Testnet

• Install Metamask and add BNB Smart Chain Testnet. You use our guide. Remember to use Testnet parameters given below when adding the BNB test network (the one on the guide is BNB mainnet).

o Network Name: BNB Smart Chain — Testnet

o New RPC URL: https://data-seed-prebsc-1-s1.binance.org:8545/

o ChainID: 97

o Symbol: BNB

o Block Explorer URL: https://testnet.bscscan.com

• Send BNB to your wallet from BNB faucet page
• Add our token contracts to your wallet by jumping to Assets tab, and clicking on Import Tokens. Simply paste token contract address given below (token symbol and decimal will appear automatically), and click on “Add Custom Token” button.

o $OLAND: 0x9f9A0a4E867C1B1E51f881074F76D1A2Ceb96ABA

o $OFOOD: 0xDE74A69f8F8b74b8350C3c63236365fA50dF129A

o $OMETAL: 0x0ac180ecE41950B781a01aD2260Ada7877185DC1

o $OWATER: 0x5cbbEFe37AA9d70b929F332609E6c8ea56F48586

o $OWOOD: 0x549e6b6d152457237358C5e62f1d2c15107498CB

• Send OLAND and/or NFTs to your wallet from our faucet page

o https://oland-faucet.vercel.app/

• Join our testnet

o https://testnet.oceanland.io

How To Submit a Bug

Report the bug here as detailed as possible in the #bug-report channel by creating a ticket. Please write the bug in full detail including the vulnerability, the components affected, the reproduction of the issue and possible fixes. A screen record is always a nice way to describe what you are facing, and the tickets with recordings will have priority.

Also, add your BEP-20 wallet address for a possible reward payment.

Rewards

We will form a team to evaluate all bugs reported. The prizes for each bug category are listed below:

• Critical Bugs — $1000 in BUSD
• High Bugs — $300 in BUSD
• Medium Bugs — $100 in BUSD
• Low Bugs — $50 in BUSD
• Trivial Bugs — $10 in BUSD

We will also reward 25 random community members as long as they complete basic transactions. If you want to join airdrop, please complete all transactions listed below:

• Craft at least one tool
• Upgrade at least one tool
• Equip at least one tool
• Mine at least once
• Use boosters at least once
• Unequip Tier-1 tools or Unequip and break (burn) Tier-2, Tier-3, Tier-4 tools at least once
• Deposit at least once
• Withdraw at least once
• Fill out the feedback form

All rewards (both bounty and airdrop) will be paid to your wallet address in BUSD.

Winner Announcement

• Winners will be announced publicly on our Twitter account. Don’t forget to follow and turn the notifications on.
• All rewards will be distributed to your wallet address after public listing.

Testnet Tweaks

We have tweaked some parameters in order to increase gameplay experience, and to provide a better testing environment. These parameters will return to their original values when mainnet launches.

• Cooldown time is decreased to 1 minute
• Ticket finding ratios are greatly increased
• Boosters that can be used once in a day for each tool can be used once in an hour

Rules

• If the bug cannot be repeated, it will be rejected
• Reports with screen recordings will have higher priority
• You will not be able to submit another ticket until your previous ticket is closed. You can report multiple bugs in the same ticket
• Issues related to the delays causing by BSC testnet are rejected
• If a bug causes multiple crashes, only the root cause will be rewarded
• Public disclosure of a vulnerability would make it ineligible for a reward.
• Duplicated issues are not eligible for reward. The first submission would be the eligible one.
• If you want to add more information to a provided issue, add the information to the initial ticket
• Rewards will be decided on a case-by-case basis, and the bug bounty program, terms, and conditions are at the sole discretion of Oceanland.
• Rewards will vary depending on the severity of the issue. Other variables considered for rewards include: the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).
• Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Oceanland.
• Issues already known and under development for fix by Oceanland team are rejected.
• Submissions need to be relevant to the Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.
• Terms and conditions of the bug bounty program may vary over time. Oceanland has the right to change any rules any time.
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.

Actions to avoid

• Testing using addresses/wallets other than your own
• Automated testing tools
• Destruction of data

The following areas are out of scope

• Oceanland Faucet page
• NFT Marketplace page
• Swap and Farm page
• Theoretical vulnerabilities without actual proof of concept.
• Internally known issues, duplicate issues, or issues which have already been made public.
• Tab-nabbing.
• Self-XSS.
• Accessible non-sensitive files and directories (e.g. README.TXT, LICENSE.TXT, robots.txt, gitignore, etc).
• Vulnerabilities only exploitable on out-of-date browsers or platforms.
• Vulnerabilities related to auto-fill web forms.
• Use of known vulnerable libraries without actual proof of concept.
• Lack of security flags in cookies.
• Issues related to unsafe SSL/TLS cipher suites or protocol version.
• Content spoofing.
• Cache-control related issues.
• Missing security headers that do not lead to direct exploitation.
• Vulnerabilities that require physical access to a user’s device.
• Issues that have no security impact (E.g. Failure to load a web page).
• Assets that do not belong to Oceanland
• Social engineering / phishing attacks
• Any DoS/DDoS activity using excess traffic that disrupts our services.
• Out-of-date software.
• Open redirect — unless an additional security impact can be demonstrated.
• Software version disclosure / banner identification issues / descriptive error messages or headers (e.g., stack traces, application or server errors).
• Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
• Rate limiting or brute-force issues on non-authentication endpoints.
• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Attacks requiring MITM or physical access to a user’s device.

About Oceanland

Oceanland is a Play-to-Earn blockchain game that combines crypto economics with the gaming world. The players earn income by gathering resources required for the main character. Oceanland brings different aspects of blockchain technology together by merging several crypto assets with DeFi and NFT.

Stay tuned ♥