# Bug Bounty **Overview**\ Starting from 18.Nov.2024, the LSP Bug Bounty Program ("Program") officially launches, targeting the LSP.Finance codebase to encourage responsible vulnerability disclosure.\ The scope of the Program is limited to critical and high-severity vulnerabilities, with rewards of up to $500,000. Happy bug hunting! *** **Scope**\ The Program is limited to vulnerabilities that may result in the loss of user funds. The following are **out of scope** for the Program: * Any contracts designated for testing purposes. * Vulnerabilities in third-party contracts or platforms interacting with LSP.Finance. * Vulnerabilities already reported or discovered in contracts built by third parties on LSP.Finance. * Any already-reported vulnerabilities. Additionally, vulnerabilities contingent upon the following scenarios are also out of scope: * Frontend (UI) bugs. * Distributed Denial-of-Service (DDOS) attacks. * Spamming. * Phishing. * Exploits in automated tools (e.g., GitHub Actions, AWS, etc.). * Compromise or misuse of third-party systems or services. *** **Rewards**\ Rewards will be allocated based on the severity of the disclosed vulnerabilities and will be evaluated and distributed at the sole discretion of the LSP.Finance team.\ For critical vulnerabilities that lead to the loss of user funds (over 1% or exceeding user-specified slippage tolerance), rewards of up to $500,000 will be granted.\ Rewards for lower-severity vulnerabilities will be determined by the team.\ Additionally, all vulnerabilities disclosed prior to the mainnet launch will be eligible for higher rewards. *** **Disclosure Requirements**\ Any discovered vulnerabilities or issues must be reported via email to ****.\ The vulnerability must not be disclosed publicly or to any other person, entity, or email address before LSP.Finance has been notified, has resolved the issue, and has granted permission for public disclosure. Furthermore, disclosure must occur within **24 hours** of the vulnerability's discovery. A detailed vulnerability report increases the likelihood of a reward and may lead to a higher reward amount. Please provide as much information as possible, including: * Conditions under which the vulnerability can be reproduced. * Steps to reproduce the vulnerability, or preferably a proof of concept (PoC). * Potential consequences if the vulnerability is exploited. Anyone who reports a unique and previously unreported vulnerability resulting in code or configuration changes and who keeps the vulnerability confidential until it has been resolved by our engineers will be publicly acknowledged for their contribution, if they so choose. *** **Eligibility**\ To be eligible for a reward under this Program, you must: * Discover a previously unreported, non-public vulnerability that would result in the loss of or lock on funds on LSP.Finance (but not on any third-party platform interacting with LSP.Finance) and that is within the scope of this Program. * Be the first to disclose the unique vulnerability to ****, in compliance with the disclosure requirements above. If similar vulnerabilities are reported within the same 24-hour period, rewards will be split at the discretion of LSP.Finance. * Provide sufficient information to enable our engineers to reproduce and fix the vulnerability. * Refrain from engaging in any unlawful conduct when disclosing the vulnerability, including through threats, demands, or any other coercive tactics. * Not exploit the vulnerability in any way, including making it public or obtaining profit (other than a reward under this Program). * Make a good-faith effort to avoid privacy violations, destruction of data, or interruption or degradation of LSP.Finance services. * Submit only one vulnerability per report unless chaining vulnerabilities is necessary to demonstrate impact. * Not submit vulnerabilities caused by the same underlying issue for which a reward has already been paid under this Program. * Not be a current or former employee, vendor, or contractor of LSP.Finance, or an employee of such vendors or contractors. * Not be subject to US sanctions or reside in a US-embargoed country. * Be at least 18 years old, or submit the vulnerability with the consent of a parent or guardian. *** **Other Terms**\ By submitting your report, you grant LSP.Finance all necessary rights, including intellectual property rights, to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility, reward amounts, and payment methods, are made at the sole discretion of LSP.Finance. The terms and conditions of this Program may be modified at any time. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.lsp.finance/others/bug-bounty.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.