Bug Bounty
Lombard operates a bug bounty program through Immunefi, the leading blockchain security platform. The program incentivizes security researchers to responsibly disclose vulnerabilities in Lombard’s smart contracts and web applications.
Reward Tiers
Rewards are based on the severity of the discovered vulnerability, assessed according to Immunefi’s classification system .
Smart Contract Vulnerabilities
CriticalUp to $250,000
High$10,000 - $25,000
Medium$5,000 - $10,000
Low$1,000 - $5,000
Web/App Vulnerabilities
CriticalUp to $25,000
High$5,000 - $10,000
Medium$2,500 - $5,000
Low$1,000 - $2,500
Contracts in Scope
The following primary contracts are covered by the bug bounty program:
| Contract | Address |
|---|---|
| LBTC Token | 0x8236a87084f8B84306f72007F36F2618A5634494 |
| Consortium Governance | 0xed6D647E2F81E5262101aFf72c4A7bcDcfd780e0 |
| Proxy Upgrade Timelock | 0x055E84e7FE8955E2781010B866f10Ef6E1E77e59 |
For the full and current scope of covered contracts and assets, refer to the Immunefi program page .
How to Submit
1
Discovera vulnerability in a contract or application within scope
2
Documentthe issue with a clear description, proof of concept, and potential impact assessment
3
Submitthrough the Immunefi platform — do not disclose publicly
4
Collaboratewith the Lombard security team during triage and remediation
5
Receiveyour reward after the vulnerability is verified and classified
Program Requirements
To be eligible for a reward, submissions must meet the following criteria:
- In scope — The vulnerability must affect a contract or application listed in the program scope
- Original — The issue must not have been previously reported or known
- Reproducible — A clear proof of concept or step-by-step reproduction must be provided
- Responsible disclosure — Findings must be submitted through Immunefi and not disclosed publicly before remediation
- Impact demonstrated — The report must clearly describe the potential impact of the vulnerability
Policies
- No public disclosure — All findings must be reported through Immunefi. Public disclosure before remediation disqualifies the submission
- First reporter — Only the first valid report of a given vulnerability is eligible for a reward
- No exploitation — Researchers must not exploit vulnerabilities on mainnet or cause damage to users or the protocol
- Good faith — The program is intended for security researchers acting in good faith to improve protocol security
- Scope updates — The program scope may be updated as new contracts are deployed; always check the Immunefi page for the current scope
Next Steps
- Immunefi Program Page — View the full scope and submit reports
- Audits — Review completed third-party security audits
- Security Model — Understand Lombard’s full defense-in-depth architecture
Last updated on