Description

OOOSec is a bug bounty and vulnerability disclosure platform built for Web3 protocols. Security teams use it to run structured bounty programs, receive and triage researcher submissions, and pay out rewards on-chain. Researchers use it to find and report vulnerabilities, track submission status, and get paid in USDC without delays or disputes.

Core Product Features

On-Chain Escrow Payouts

Bounty funds are locked in a Solana-based escrow vault at program launch. Researchers see proof of funds before submitting, which drives higher quality reports. Payouts are released on-chain with no manual treasury intervention required.

Structured Triage Workflows

Every submission moves through a defined review pipeline with severity scoring, internal notes, and status tracking.

Role-based access control lets you assign Triagers, Treasurers, and Admins without giving everyone full program access.

Researcher Vetting and Reputation

Every researcher on the platform has a reputation score built from submission history, accuracy rate, and payout track record. Program owners can set minimum reputation thresholds and require KYC before researchers can submit.

Compliance-Native Payouts

OFAC sanctions screening and KYC/AML checks run on every payout automatically. No third-party compliance tooling needed. Fiat payouts via Stripe Connect and crypto payouts in USDC are both supported.

Key Product Differentiators

• Only bug bounty platform with native on-chain escrow on Solana, giving researchers verifiable proof of funds before they submit

• Built-in OFAC screening and KYC on every payout, not bolted on after the fact

• Researcher reputation scoring that actually reflects Web3-specific skills, not just general web security

• Programs go live in under 24 hours with no sales calls or contract negotiations

Ideal Use Cases

• DeFi protocols and DEX aggregators that need ongoing vulnerability disclosure with on-chain payout guarantees

• NFT platforms and GameFi projects running time-sensitive bounty programs during launches

• Cross-chain bridges and infrastructure teams managing high-severity smart contract risk

• Any Web3 protocol that has been told by legal or investors that they need a formal security disclosure program