💸Bug Bounty

Overview Starting from 18.Nov.2024, the LSP Bug Bounty Program ("Program") officially launches, targeting the LSP.Finance codebase to encourage responsible vulnerability disclosure. The scope of the Program is limited to critical and high-severity vulnerabilities, with rewards of up to $500,000. Happy bug hunting!

Scope The Program is limited to vulnerabilities that may result in the loss of user funds.

The following are out of scope for the Program:

• Any contracts designated for testing purposes.

• Vulnerabilities in third-party contracts or platforms interacting with LSP.Finance.

• Vulnerabilities already reported or discovered in contracts built by third parties on LSP.Finance.

• Any already-reported vulnerabilities.

Additionally, vulnerabilities contingent upon the following scenarios are also out of scope:

• Frontend (UI) bugs.

• Distributed Denial-of-Service (DDOS) attacks.

• Spamming.

• Phishing.

• Exploits in automated tools (e.g., GitHub Actions, AWS, etc.).

• Compromise or misuse of third-party systems or services.

Rewards Rewards will be allocated based on the severity of the disclosed vulnerabilities and will be evaluated and distributed at the sole discretion of the LSP.Finance team. For critical vulnerabilities that lead to the loss of user funds (over 1% or exceeding user-specified slippage tolerance), rewards of up to $500,000 will be granted. Rewards for lower-severity vulnerabilities will be determined by the team. Additionally, all vulnerabilities disclosed prior to the mainnet launch will be eligible for higher rewards.

Disclosure Requirements Any discovered vulnerabilities or issues must be reported via email to security@lsp.finance. The vulnerability must not be disclosed publicly or to any other person, entity, or email address before LSP.Finance has been notified, has resolved the issue, and has granted permission for public disclosure. Furthermore, disclosure must occur within 24 hours of the vulnerability's discovery.

A detailed vulnerability report increases the likelihood of a reward and may lead to a higher reward amount. Please provide as much information as possible, including:

• Conditions under which the vulnerability can be reproduced.

• Steps to reproduce the vulnerability, or preferably a proof of concept (PoC).

• Potential consequences if the vulnerability is exploited.

Anyone who reports a unique and previously unreported vulnerability resulting in code or configuration changes and who keeps the vulnerability confidential until it has been resolved by our engineers will be publicly acknowledged for their contribution, if they so choose.

Eligibility To be eligible for a reward under this Program, you must:

• Discover a previously unreported, non-public vulnerability that would result in the loss of or lock on funds on LSP.Finance (but not on any third-party platform interacting with LSP.Finance) and that is within the scope of this Program.

• Be the first to disclose the unique vulnerability to security@lsp.finance, in compliance with the disclosure requirements above. If similar vulnerabilities are reported within the same 24-hour period, rewards will be split at the discretion of LSP.Finance.

• Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.

• Refrain from engaging in any unlawful conduct when disclosing the vulnerability, including through threats, demands, or any other coercive tactics.

• Not exploit the vulnerability in any way, including making it public or obtaining profit (other than a reward under this Program).

• Make a good-faith effort to avoid privacy violations, destruction of data, or interruption or degradation of LSP.Finance services.

• Submit only one vulnerability per report unless chaining vulnerabilities is necessary to demonstrate impact.

• Not submit vulnerabilities caused by the same underlying issue for which a reward has already been paid under this Program.

• Not be a current or former employee, vendor, or contractor of LSP.Finance, or an employee of such vendors or contractors.

• Not be subject to US sanctions or reside in a US-embargoed country.

• Be at least 18 years old, or submit the vulnerability with the consent of a parent or guardian.

Other Terms By submitting your report, you grant LSP.Finance all necessary rights, including intellectual property rights, to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility, reward amounts, and payment methods, are made at the sole discretion of LSP.Finance.

The terms and conditions of this Program may be modified at any time.