Updates to the Lisk Bug Bounty Program

Here at Lisk, we take the security of our network with the highest possible priority. As an open-source project, we greatly value our community’s contributions to the mission of building and maintaining a secure network.

With these words we announced the Lisk Bug Bounty program back in November 2018. Today we maintain just the same integrity and core values as back then. In fact we have further enhanced them even more with our updates to the Lisk DPoS consensus algorithm, and the introduction of the Lisk Builders program.

Therefore we are proud to present our latest updates to the Lisk Bug Bounty program today.

By Lisk

06 Apr 2020


New severity categories

From now on bug bounties are classified in the following categories: 'very low', 'low', 'medium', 'high', and 'very high' with the following remuneration in Swiss franc (CHF) paid in LSK tokens.


Focus on Lisk Core

The Lisk Bug Bounty program is still solely focusing on Lisk Core releases for the Mainnet and Betanet. Vulnerabilities and bugs currently residing in Lisk Core can most likely also be found within the Lisk SDK, therefore it is not necessary to place such a high emphasis on the Lisk SDK. Contrary to previous statements, we would like to keep the focus on our backend products until further notice.

More information and bug reports

The Lisk Bug Bounty program is a long standing initiative, however it recently fell by the wayside. Therefore we have created a new page on Lisk.io summarizing it for program contributors. In addition, we have also created a new user friendly contact form making it very easy for everyone to file a report, as an alternative to using the security@lisk.com email address. Nevertheless, if you wish to attach resources or feel more comfortable with email, you can still use the same email address as before. However, please continue to use our standard template.


All the other previous conditions remain exactly the same. Hence, a report is only eligible if it is clear that the reporter did not abuse this bug on one of the public networks. Furthermore, vulnerabilities or bugs which will be fixed by implementing any of our LIPs are not eligible for a remuneration. Please note that unfortunately it is still a legal requirement that we receive full valid KYC information from you.

More information can be found on our new page for the Lisk Bug Bounty program.

We are looking forward to receiving your vulnerability and bug reports!