Lit Protocol is a decentralized key management protocol designed to provide secure, reliable, and efficient services to its users. The Lit Node plays a critical role in offering these services, and we are dedicated to ensuring its security and robustness. To this end, we have established a Bug Bounty and Reporting Program to incentivize the discovery and reporting of vulnerabilities in our system.

This Security Policy outlines the rules and procedures for participating in the Lit Protocol Bug Bounty and Reporting Program. By participating, you agree to adhere to these rules and accept the terms and conditions herein.

The Bug Bounty and Reporting Program covers the Lit Node, including all software, services, and technologies related to it. The program focuses on vulnerabilities that may compromise the security, integrity, or availability of the Lit Protocol.

Examples of vulnerabilities in scope include, but are not limited to:

• Authentication or authorization flaws
• Cryptographic weaknesses
• Remote code execution
• Denial of service (DoS) attacks or resource exhaustion
• Injection attacks (e.g., SQL, command, or code injection)

To be eligible for the Bug Bounty and Reporting Program, you must:

• Be at least 18 years old or the age of majority in your jurisdiction.
• Report the vulnerability in accordance with the Reporting Procedures outlined in Section V.
• Not be an employee, contractor, or affiliated party of Lit Protocol or its subsidiaries.
• Not exploit, disclose, or use the vulnerability for any purpose other than reporting it to us.

The following actions and vulnerabilities are out of scope and ineligible for the Bug Bounty and Reporting Program:

• Social engineering attacks, including phishing or pretexting.
• Physical attacks or attempts to gain unauthorized access to infrastructure, property, or devices.
• Vulnerabilities in third-party software, services, or components not maintained by Lit Protocol.
• Vulnerabilities already known to or reported by Lit Protocol.
• Spam, distributed denial of service (DDoS) attacks, or other malicious activities.

To report a vulnerability, follow these steps:

• Send an email to [email protected] with the subject line "Bug Bounty Submission."
• Provide a clear and concise description of the vulnerability, including the affected component(s), steps to reproduce, potential impact, and suggested mitigation or remediation.
• Include any relevant proof-of-concept (PoC) code, screenshots, logs, or other supporting evidence.
• Provide your contact information, including your name, email address, and any applicable social media or professional profiles.

Lit Protocol offers monetary rewards for valid vulnerability reports, based on the severity and impact of the issue. Our security team will assess each submission and determine the reward.

By participating in the Bug Bounty and Reporting Program, you agree to keep all information related to the vulnerability confidential and not disclose any details without our prior written consent. Lit Protocol may choose to publicly acknowledge your contribution, but will only do so with your permission.

Participation in the Bug Bounty and Reporting Program does not grant you any rights or licenses related to the Lit Protocol or its intellectual property. You agree to comply with all applicable laws and regulations while participating in the program. You also agree not to engage in any illegal or unethical activities.

By submitting a vulnerability, you represent and warrant that your submission is your original work and that you have not violated any third-party rights, including copyright, trademark, trade secret, or privacy rights.

Lit Protocol reserves the right to modify or terminate the Bug Bounty and Reporting Program at any time, at its sole discretion. Any disputes arising from the program shall be governed by the laws of the jurisdiction in which Lit Protocol is incorporated and shall be resolved through binding arbitration.

Lit Protocol is committed to addressing any reported vulnerabilities in a timely manner. We ask that you provide us with a reasonable amount of time to address the issue before disclosing it publicly. We will work closely with you to keep you informed of our progress and ensure a coordinated disclosure.

If you have any questions or concerns about the Lit Protocol Bug Bounty and Reporting Program, please contact us at [email protected].

By participating in the Lit Protocol Bug Bounty and Reporting Program, you acknowledge that you have read, understood, and agreed to the terms and conditions set forth in this Security Policy. We appreciate your contribution to the security and integrity of the Lit Protocol and look forward to working together to make our system safer and more reliable for our users.