New severity categories

From now on bug bounties are classified in the following categories: 'very low', 'low', 'medium', 'high', and 'very high' with the following remuneration in Swiss franc (CHF) paid in LSK tokens.

Focus on Lisk Core

The Lisk Bug Bounty program is still solely focusing on Lisk Core releases for the Mainnet and Betanet. Vulnerabilities and bugs currently residing in Lisk Core can most likely also be found within the Lisk SDK, therefore it is not necessary to place such a high emphasis on the Lisk SDK. Contrary to previous statements, we would like to keep the focus on our backend products until further notice.

More information and bug reports

The Lisk Bug Bounty program is a long standing initiative, however it recently fell by the wayside. Therefore we have created a new page on Lisk.io summarizing it for program contributors. In addition, we have also created a new user friendly contact form making it very easy for everyone to file a report, as an alternative to using the security@lisk.com email address. Nevertheless, if you wish to attach resources or feel more comfortable with email, you can still use the same email address as before. However, please continue to use our standard template.

All the other previous conditions remain exactly the same. Hence, a report is only eligible if it is clear that the reporter did not abuse this bug on one of the public networks. Furthermore, vulnerabilities or bugs which will be fixed by implementing any of our LIPs are not eligible for a remuneration. Please note that unfortunately it is still a legal requirement that we receive full valid KYC information from you.

More information can be found on our new page for the Lisk Bug Bounty program.

We are looking forward to receiving your vulnerability and bug reports!