The following code repositories are subject to the Sablier Bug Bounty Program (the “Program”) to incentivize responsible disclosure of vulnerabilities:

1. https://github.com/sablier-labs/airdrops/
2. https://github.com/sablier-labs/flow/
3. https://github.com/sablier-labs/lockup

Rewards

Rewards will be allocated based on the severity and impact of the disclosed bug after a thorough assessment by the Sablier team. For critical bugs that lead to significant unauthorized fund transfers, rewards of up to $100,000 will be granted. Lower severity bugs may receive nominal rewards or none at all, as determined by the Sablier Labs team.

Scope

This Program covers bugs of critical or high severity that could lead to the unauthorized transfer or loss of funds from the Sablier smart contracts.

The Program does NOT cover the following:

• Code outside the src directories.
• External code in node_modules, except code explicitly used by a deployed contract from src.
• Deployments on test networks.
• Bugs in third-party contracts or platforms interacting with the Sablier Protocol.
• Bugs that have already been reported.

Similarly, vulnerabilities contingent upon the occurrence of any of the following are also out-of-scope:

• Front-end bugs (e.g., clickjacking) and and related social engineering attacks.
• DNS configuration records.
• DDoS attacks, spamming, or phishing.