Lista DAO

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• Centralization risks

Websites

• Theoretical vulnerabilities without any proof or demonstration
• Content spoofing / Text injection issues without any security impact
• Self-XSS (Self Cross-Site Scripting)
• Captcha bypass using OCR
• CSRF with no significant security impact (e.g., logout CSRF, change language, etc.)
• Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
• Server-side information disclosure such as IPs, server names, and most stack traces
• Vulnerabilities used to enumerate or confirm the existence of users or tenants
• Vulnerabilities requiring unlikely user actions or complex user interactions
• URL Redirects (unless combined with another vulnerability to produce a more severe impact)
• Lack of SSL/TLS best practices
• Attacks requiring privileged access from within the organization
• Feature requests or suggestions for best practices
• Internal SSRF (Server-Side Request Forgery)
• Path Traversal without real security impact
• SPF/DKIM/DMARC Configuration Problems
• Clickjacking without sensitive actions
• Issues related to browser-specific behavior that do not pose a security threat
• Denial of Service (DoS) attacks not explicitly allowed in scope
• Vulnerabilities in third-party software or libraries without evidence of impact on our service
• Issues with non-production environments (staging, testing, etc.)

XSS reports are restricted to those that have an impact of prompting a user to sign a transaction or a redirect.

Backend Services

• Missing or misconfigured security headers that do not lead to direct security vulnerabilities
• Information disclosure of non-sensitive data (e.g., stack traces, debug messages)
• Issues related to outdated software versions unless they can be exploited in our context
• Rate-limiting or brute-force attacks on non-critical endpoints
• Vulnerabilities requiring extensive social engineering or phishing
• Any issues that require physical access to our servers or network
• Findings from automated scans without a proof of concept demonstrating security impact
• Low-impact vulnerabilities that require unlikely attack scenarios
• Directory listing on non-sensitive directories
• Server configuration issues without a clear security impact
• Cosmetic issues and text errors

The following activities are prohibited by this bug bounty program:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty