# Bug Bounty

## Program Overview

The classification of severity levels is determined by [Immunefi Vulnerability Severity Classification System](https://immunefi.com/severity-updated/). It is important to note that these levels are merely suggestions and each bug bounty submission will be individually assessed.

## Invalid Bug Bounties

The following are not covered by the bug bounty program:

* Incidents where the reporter has caused harm by exploiting the vulnerability themselves.
* Vulnerabilities that can only be exploited by utilizing leaked keys or credentials.
* Vulnerabilities that require access to privileged addresses such as governance or admin addresses.
* Issues caused by incorrect data supplied by external oracles (however, oracle manipulation or flash loan attacks are still in scope)
* Situations where there is a lack of liquidity.
* Errors made by third-party off-chain bots (e.g. bugs in an arbitrage bot running on the smart contracts)
* Suggestions for best practice or critiques.
* Sybil attacks.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://whitepaper.opz.io/misc/bug-bounty.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.