Skip to main content
Livepeer runs an active bug bounty programme on Immunefi, the leading web3 bug bounty platform. The programme rewards security researchers who responsibly disclose vulnerabilities in Livepeer’s smart contracts. Payouts are made in USDC on Ethereum, and KYC is required for all reward claims.

Livepeer Bug Bounty on Immunefi

The authoritative source for scope, reward tiers, rules, and submission instructions.

Programme Overview


Severity Levels and Rewards

Rewards are distributed according to the Immunefi Vulnerability Severity Classification System (V2.2), a five-level scale covering both the consequence of exploitation and the likelihood of a successful attack.

Focus Areas

The programme focuses on preventing:
  • Direct theft of user funds (at-rest or in-motion, excluding unclaimed yield)
  • Unexpected calls to privileged functions (for example, functions that should only be callable by the Governor contract)
  • Any condition that results in permanent freezing of user funds

Scope

The programme covers Livepeer’s deployed smart contracts on Ethereum and Arbitrum. See the full scope listing on Immunefi for the definitive list of in-scope assets and contract addresses.

Out of Scope

The following are explicitly excluded:
  • Testing on mainnet or public testnet deployed code — all testing must be done on local forks
  • Testing with pricing oracles or third-party smart contracts
  • Phishing or social engineering attacks against employees or customers
  • Testing with third-party systems, browser extensions, or SSO providers
  • Denial of service attacks against project assets
  • Automated testing that generates high traffic
  • Public disclosure of an unpatched vulnerability before it has been resolved

How to Submit a Report

1

Reproduce and document the vulnerability

Ensure you have a working proof of concept on a local fork of mainnet or testnet. Document the attack vector, impact, and reproduction steps.
2

Submit via Immunefi

Submit your report through the Livepeer programme page on Immunefi. Do not disclose the vulnerability publicly before it has been resolved.
3

Complete KYC

On confirmation of a valid report, you will be asked to complete KYC verification via an external service before payment is released. You will need government-issued photo ID.
4

Receive your reward

Valid rewards are paid in USDC on Ethereum. Payout amounts are handled directly by the Livepeer team and are denominated in USD.

Public disclosure of an unpatched vulnerability is a violation of the programme rules and will disqualify a submission from receiving a reward. Always report privately first.

Recent Programme Activity

The Livepeer bug bounty programme has been actively used. Recent examples include:
  • March 2024 — A protocol bug was fixed after a responsible disclosure through Immunefi. The vulnerability addressed a potential griefing attack allowing a bad actor to prevent a delegating token holder from accessing their rewards.
  • October 2024 — A critical-level bounty was paid after disclosure of a vulnerability that could have allowed a bad actor to drain ETH from the Minter contract via successive steps across multiple rounds.
  • August 2025 — A critical-level bounty was paid after disclosure of a vulnerability that could have allowed a bad actor to claim more ETH fees than intended through successive steps across multiple rounds.
In all cases, no user funds were at risk at the time of patching and no exploits were observed on the network.

Open Source Contributions

Contribute code, documentation, or test coverage to Livepeer’s core repositories.

Protocol R&D SPE (Sidestream)

The SPE responsible for protocol security, vulnerability triage, and safe upgrades.

Immunefi Programme Page

Full scope, reward tiers, rules, and submission portal for the Livepeer bug bounty.

Livepeer GitHub

The official Livepeer GitHub organisation. For non-security bugs, open an issue in the relevant repository.
Last modified on March 16, 2026