Skip to main content
/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg
BUG BOUNTIES
/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg
Livepeer runs an active bug bounty programme on Immunefi, the leading web3 bug bounty platform. The programme rewards security researchers who responsibly disclose vulnerabilities in Livepeer’s smart contracts. Payouts are made in USDC on Ethereum, and KYC is required for all reward claims.

Livepeer Bug Bounty on Immunefi

The authoritative source for scope, reward tiers, rules, and submission instructions.
/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg
PROGRAMME OVERVIEW
/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg

Programme Overview

  • Scope: Smart contracts only. The programme does not currently cover websites, apps, or off-chain infrastructure.
  • Rewards: Paid in USDC on Ethereum, denominated in USD.
  • KYC: Required for all reporters claiming a reward. You will need to provide visual proof of identity.
  • Proof of Concept: Required for all severity levels. Submissions without a PoC will not be considered.
  • Triage: Since early 2025, the Immunefi triage pipeline has been operated by the Protocol R&D SPE (Sidestream), which processes incoming reports and ensures response-readiness.

/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg
SEVERITY & REWARDS
/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg

Severity Levels and Rewards

Rewards are distributed according to the Immunefi Vulnerability Severity Classification System (V2.2), a five-level scale covering both the consequence of exploitation and the likelihood of a successful attack.
Critical
Rewards are capped at 10% of the economic damage caused, with the primary focus on possible loss of funds for Orchestrators, Delegators, and Broadcasters at the smart contract level.If there is a repeatable attack, only the first attack is considered unless further attacks cannot be mitigated via an upgrade or pause.
High
Rewards for High severity vulnerabilities depend on the amount of unclaimed yield at risk and how long funds could be frozen.

Focus Areas

The programme focuses on preventing:
  • Direct theft of user funds (at-rest or in-motion, excluding unclaimed yield)
  • Unexpected calls to privileged functions (for example, functions that should only be callable by the Governor contract)
  • Any condition that results in permanent freezing of user funds

/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg
SCOPE
/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg

Scope

The programme covers Livepeer’s deployed smart contracts on Ethereum and Arbitrum. See the full scope listing on Immunefi for the definitive list of in-scope assets and contract addresses.

Out of Scope

The following are explicitly excluded:
  • Testing on mainnet or public testnet deployed code — all testing must be done on local forks
  • Testing with pricing oracles or third-party smart contracts
  • Phishing or social engineering attacks against employees or customers
  • Testing with third-party systems, browser extensions, or SSO providers
  • Denial of service attacks against project assets
  • Automated testing that generates significant traffic
  • Public disclosure of an unpatched vulnerability before it has been resolved

/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg
SUBMITTING A REPORT
/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg

How to Submit a Report

1

Reproduce and document the vulnerability

Ensure you have a working proof of concept on a local fork of mainnet or testnet. Document the attack vector, impact, and reproduction steps clearly.
2

Submit via Immunefi

Submit your report through the Livepeer programme page on Immunefi. Do not disclose the vulnerability publicly before it has been resolved.
3

Complete KYC

On confirmation of a valid report, you will be asked to complete KYC verification via an external service before payment is released. You will need government-issued photo ID.
4

Receive your reward

Valid rewards are paid in USDC on Ethereum. Payout amounts are handled directly by the Livepeer team and are denominated in USD.

Public disclosure of an unpatched vulnerability is a violation of the programme rules and will disqualify a submission from receiving a reward. Always report privately first.

/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg
RECENT PROGRAMME ACTIVITY
/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg

Recent Programme Activity

The Livepeer bug bounty programme has been actively used. Recent examples include:
  • March 2024 — A protocol bug was fixed after a responsible disclosure through Immunefi. The vulnerability addressed a potential griefing attack allowing a bad actor to prevent a delegating token holder from accessing their rewards.
  • October 2024 — A critical-level bounty was paid after disclosure of a vulnerability that could have allowed a bad actor to drain ETH from the Minter contract via successive steps across multiple rounds.
  • August 2025 — A critical-level bounty was paid after disclosure of a vulnerability that could have allowed a bad actor to claim more ETH fees than intended through successive steps across multiple rounds.
In all cases, no user funds were at risk at the time of patching and no exploits were observed on the network.
/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg
RELATED
/snippets/assets/logos/Livepeer-Logo-Symbol-Theme.svg

Open Source Contributions

Contribute code, documentation, or test coverage to Livepeer’s core repositories.

Protocol R&D SPE (Sidestream)

The SPE responsible for protocol security, vulnerability triage, and safe upgrades.

Immunefi Programme Page

Full scope, reward tiers, rules, and submission portal for the Livepeer bug bounty.

Livepeer GitHub

The official Livepeer GitHub organisation. For non-security bugs, open an issue in the relevant repository.
Last modified on March 3, 2026