# Bug Bounty

## Program Overview

The classification of severity levels is determined by [Immunefi Vulnerability Severity Classification System](https://immunefi.com/severity-updated/). It is important to note that these levels are merely suggestions and each bug bounty submission will be individually assessed.

## Invalid Bug Bounties

The following are not covered by the bug bounty program:

* Incidents where the reporter has caused harm by exploiting the vulnerability themselves.
* Vulnerabilities that can only be exploited by utilizing leaked keys or credentials.
* Vulnerabilities that require access to privileged addresses such as governance or admin addresses.
* Issues caused by incorrect data supplied by external oracles (however, oracle manipulation or flash loan attacks are still in scope)
* Situations where there is a lack of liquidity.
* Errors made by third-party off-chain bots (e.g. bugs in an arbitrage bot running on the smart contracts)
* Suggestions for best practice or critiques.
* Sybil attacks.