SECURITY

SECURITY

Last updated JULY 8, 2026

Last updated JULY 8, 2026

TERMS OF SERVICE

Last updated DECEMBER 29, 2025


Security / Vulnerability Disclosure Policy


Security at Lighter

Security is foundational to Lighter. We welcome responsible disclosures from security researchers, auditors, protocol engineers, and members of the broader crypto community who help us identify and remediate vulnerabilities affecting our web properties, mobile applications, APIs, and supporting infrastructure.

If you believe you have discovered a security vulnerability in a Lighter-operated asset, please report it to us responsibly.


Contact

Please send vulnerability reports to security@lighter.xyz.

For sensitive reports, we strongly encourage the use of PGP encryption. Our public key is available at:

https://lighter.xyz/pgp-key.asc


Fingerprint

7ED6 273D 6D47 1E01 83B1 D844 7D19 A194 214C 3881


If your report contains highly sensitive information, please encrypt it using the key above.


What to include

To help us triage and investigate efficiently, please include:

  • A clear description of the issue

  • The affected asset, component, flow, or endpoint

  • Steps to reproduce

  • Proof of concept, screenshots, logs, or sample requests where helpful

  • The potential impact

  • Any relevant assumptions, wallet state, account state, or environment details

  • If applicable, the affected API route, auth flow, signing flow, mobile flow, or transaction flow

The best reports are specific, reproducible, and limited to the minimum necessary to demonstrate the issue safely.


In scope

This policy applies to security vulnerabilities affecting Lighter-operated properties, including:


Examples of issues that may be in scope

Depending on severity and exploitability, in-scope reports may include:

  • Authentication or authorization bypass

  • Account takeover

  • Broken access control

  • Sensitive data exposure

  • API authentication flaws

  • Broken object-level authorization / IDOR

  • Session or token handling vulnerabilities

  • Signature verification or signing-flow issues

  • Replay or nonce-related issues

  • Privilege escalation

  • Mobile app vulnerabilities affecting auth, user data, or funds

  • Infrastructure misconfigurations exposing internal systems, secrets, or privileged access

  • Vulnerabilities that could impact user assets, trade integrity, account security, or platform trust


Out of scope

The following are generally out of scope unless accompanied by a clear, material security impact:

  • Missing headers or best-practice recommendations without demonstrated exploitability

  • Version disclosure or banner disclosure

  • Low-impact clickjacking

  • Reports based only on missing rate limits without demonstrated abuse impact

  • Self-XSS requiring unrealistic user interaction

  • Issues that require a rooted or jailbroken device without meaningful real-world impact

  • Reports based solely on third-party CVEs without a demonstrated exploit path in a Lighter-operated asset

  • Social engineering, phishing, or impersonation attacks

  • Physical attacks

  • Denial-of-service, traffic flooding, or resource exhaustion testing

  • Spam or automated scanner output without a validated vulnerability

  • Vulnerabilities in third-party services, wallets, SDKs, exchanges, infra providers, or dependencies not operated by Lighter

  • Findings that require access to another user's seed phrase, private keys, device, email, or credentials


Researcher expectations

We ask that you:

  • Act in good faith

  • Avoid harming users, markets, or platform integrity

  • Avoid accessing, altering, or exfiltrating data that does not belong to you

  • Avoid actions that could impact user funds, order flow, balances, or account state beyond the minimum necessary to demonstrate the issue

  • Avoid exploiting vulnerabilities for profit, trading advantage, liquidation advantage, or market manipulation

  • Avoid disclosing the issue publicly before we have had a reasonable opportunity to investigate and remediate it

  • Limit testing to accounts, wallets, devices, and assets you own or are explicitly authorized to use

If you are unsure whether a testing approach is acceptable, contact us first.


Safe harbor

If you act in good faith, follow this policy, avoid privacy violations and service disruption, and give us a reasonable opportunity to investigate and remediate the issue, Lighter will not pursue legal action against you for your research.

This safe harbor applies only to activity consistent with this policy. It does not extend to conduct that:

  • Harms users

  • Risks or compromises user funds

  • Intentionally degrades platform availability

  • Violates applicable law

  • Involves extortion, ransom demands, or premature public disclosure intended to pressure resolution


Disclosure process

When you submit a report, we aim to:

  • Acknowledge receipt within 72 hours

  • Triage and assess the issue

  • Request additional details if needed

  • Work toward remediation as quickly as possible based on severity and complexity

  • Notify you when the issue has been resolved or materially mitigated, where appropriate

Resolution timelines may vary depending on technical complexity, release timing, and operational considerations.


Rewards

Lighter does not currently operate a public bug bounty program unless explicitly announced otherwise.

However, we may, at our sole discretion, offer:

  • Monetary rewards

  • Swag

  • Public thanks

  • Researcher recognition

Any reward decision depends on factors including severity, report quality, originality, and user impact.


Coordinated disclosure

We value coordinated disclosure. Please do not publish details of a vulnerability until we have had a reasonable opportunity to investigate and address it.

If you would like public credit after remediation, please let us know in your report.

To report a vulnerability, contact security@lighter.xyz.