Paxos Bug Bounty

Paxos builds regulated blockchain and digital asset solutions for global leaders in financial services. Designed for enterprises.

Program Details

This bug bounty program covers two categories:

Smart Contracts: Must be deployed on a mainnet (Ethereum, Solana, or supported L2s) and actively used in a Paxos product (PYUSD, PAXG, USDG, USDP, or cross-chain bridging). Testnet-only or proof-of-concept deployments are not in scope.

Web Interface / API : Only production endpoints listed in scope are eligible. Sandbox environments are included for testing convenience but findings must be reproducible against the production equivalent to qualify for full rewards.

Nothing in this program, including any reference to potential rewards, constitutes an offer, promise, or guarantee of payment. Paxos may make changes to, suspend, or terminate the program at any time in its sole discretion.

The maximum aggregate payout across all submissions is $2,000,000 USD per year.

Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown by Paxos, non-public vulnerability within scope.
• Provide sufficient information to reproduce and fix the issue.
• Not have exploited the vulnerability in a malicious manner.
• Not have disclosed the vulnerability to third parties prior to receiving permission.
• Comply with all Program rules and applicable laws.

You must also (i) be of legal age in your jurisdiction, (ii) not be located in, organized in, or a resident or national of any jurisdiction subject to comprehensive sanctions or embargoes, and (iii) not be a person or entity identified on any applicable sanctions or restricted party list. Paxos may require you to complete identity verification and sanctions screening prior to any reward payment. Failure to do so will result in no reward being paid. No reward will be paid for vulnerabilities already identified, under active remediation, or resolved by Paxos or its service providers prior to receipt of the report, regardless of whether that prior knowledge was disclosed.

Disclosure Requirements

Please report vulnerabilities directly to the Cantina Platform. Include:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue (proof of concept preferred).
• Conditions under which the issue occurs.
• Potential implications if exploited.

Reports should be made as soon as possible, ideally within 24 hours of discovery.

Severity and Rewards

Vulnerabilities are classified by Impact and Likelihood. The combination determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions

Web3

Severity	Description	Examples
Critical	Direct, unconstrained exploitability with irreversible outcomes. No preconditions required. Generally $100M+ in potential losses.	- Direct theft of user or protocol funds - Permanent freezing of funds requiring a hard fork - Unauthorized minting or burning of tokens - Complete compromise of owner/admin keys - Manipulation of governance vote outcomes - Arbitrary code execution or self-destruct on live contracts
High	Significant risk with major financial loss or protocol disruption potential. Exploitation typically requires preconditions, sequencing, or timing.	- Temporary freezing of funds exceeding 24 hours - Theft of unclaimed yield or rewards - Price oracle manipulation - Flash loan exploits - Access control bypass requiring specific state conditions - Front-running or sandwich attacks due to missing price protection
Medium	Limited but demonstrable risk, exploitable only under constrained conditions or with detailed implementation knowledge.	- Temporary freezing of funds under 24 hours - Griefing attacks without direct profit motive - DoS rendering contracts inoperable - ERC-20/ERC-721 compliance failures - Replay attacks in multi-chain or off-chain contexts - Unbounded gas consumption in non-critical paths
Low	Minimal or theoretical impact. Primarily affects contract quality rather than security posture.	- Significant gas inefficiencies - Missing event emissions affecting off-chain indexing - Unnecessary exposure of internal state - Compiler version or configuration issues - Input sanitization gaps with no direct security impact
Informational	No direct security risk. Deviations from best practices or specification.	—

Web2

Severity	Description	Examples
Critical	Complete system compromise, mass data exfiltration, or unauthorized control of production infrastructure. Direct and immediate consequence.	- RCE on production or signing infrastructure - Authentication bypass on administrative or custodial systems - Privilege escalation to root or service-account level - Exposure of private keys, signing keys, or HSM credentials - Complete authorization bypass on fund-movement endpoints - SQLi or SSRF leading to backend exfiltration
High	Significant data exposure or service disruption. May require multi-step exploitation or elevated access.	- XSS enabling session hijacking - IDOR exposing other users' account data - SSRF with access to internal services - Subdomain takeover on authenticated domains - Insufficient access controls on internal or admin interfaces - Rate-limit bypass enabling brute-force of sensitive endpoints
Medium	Moderate impact. Typically requires user interaction or specific preconditions.	- CSRF on state-changing actions - DoS via resource exhaustion on non-critical endpoints - Session fixation or improper session invalidation - Open redirect on authenticated pages - Missing security headers on sensitive endpoints - Information disclosure of non-sensitive system metadata
Low	Minimal direct risk. May indicate areas for improvement in overall security posture.	- Verbose error messages exposing stack traces or version info - Username/email enumeration via response timing - Permissive CORS with no demonstrated impact - Outdated dependencies without known exploitable vulnerabilities
Informational	Defense-in-depth opportunities or best-practice deviations with no demonstrated exploitability.	—

In addition to the above definitions, we will also use the Cantina Bug Bounty Severity Classification Framework to determine severity.

Likelihood Definitions

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires very specific conditions.

Prohibited Actions

• No Unauthorized Testing on Production Environments: Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.
• No Public Disclosure Without Consent: Do not publicly disclose details of any vulnerability in any forum (including blogs, social media, conferences, or repositories) unless and until (i) Paxos has confirmed that the vulnerability has been remediated and (ii) you have received Paxos's prior written consent to such disclosure, including with respect to timing and content.
• No Exploitation or Data Exfiltration: Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.
• No Conflict of Interest: Individuals currently or formerly employed by Paxos or external vendors who have tested or who contributed to the development of the affected service, product, code, or contract in the past 6 months are ineligible to participate.

Reward Discretion

• All reward amounts listed represent the maximum possible payout for a given severity level.
• Rewards are granted entirely at the discretion of Paxos.
• Each submission is evaluated individually based on factors including, but not limited to:
  • Severity and exploitability of the vulnerability
  • Quality and completeness of the report
  • Potential real-world impact to users or systems
  • Whether the issue has already been identified or mitigated internally
• Paxos may award less than the stated maximum, or may decline to award a reward altogether, for any submission.
• Submission of a report does not create an entitlement, obligation, or guarantee of payment.

Severity Reclassification

• Paxos reserves the right to reclassify the severity of any reported vulnerability based on its own assessment of impact, likelihood, and exploitability.
• The initial severity assigned by the reporter is treated as a recommendation.
• The final severity determination, and any corresponding reward, is made solely by Paxos after internal review.

Scope of Authorized Activity

• Participation in this program does not grant any right, license, or authorization to access, view, copy, or exfiltrate customer data, personally identifiable information, financial records, transaction histories, wallet balances, KYC/AML records, identity verification data, internal communications, regulatory filings, or any other non-public data belonging to Paxos, its customers, or its partners.
• Participants must not disrupt, degrade, or deny availability of any production service, API, or infrastructure component.
• Testing must be limited to the assets and environments explicitly listed in scope.
• Any activity outside the defined scope is strictly prohibited, including:
  • Attempts to access internal systems
  • Lateral movement
  • Social engineering of Paxos employees
  • Interference with other participants
• Violations may result in immediate disqualification, forfeiture of any pending rewards, and referral for legal action.

If a participant inadvertently accesses out-of-scope data during authorized testing, they must: (i) immediately cease further access; (ii) notify Paxos via Cantina within 24 hours; (iii) not retain, copy, or share the data; and (iv) cooperate with Paxos's investigation. Prompt disclosure will be treated as a mitigating factor.

Program Modifications

• The terms, conditions, scope, and reward structure of this program may be revised, suspended, or terminated at any time at the sole discretion of Paxos.
• Participants are responsible for reviewing the latest version of the program terms before submitting a report.
• Continued participation after changes are posted constitutes acceptance of the updated terms.

Additional Notes

If you discover a vulnerability in any component not explicitly listed but which poses a risk to user funds, user data, or system integrity, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Other Terms

By submitting a report, you grant Paxos a perpetual, worldwide, irrevocable, royalty-free, fully paid-up, sublicensable license to use, reproduce, modify, distribute, display, and create derivative works from your submission and any related materials for any purpose, including to investigate, remediate, and disclose the vulnerability. You agree to keep all non-public information you learn about Paxos, its systems, and its customers strictly confidential, and not to disclose any such information except as expressly permitted by Paxos in writing. Paxos may monitor, log, and retain information relating to testing activity in connection with this program. You should have no expectation of privacy with respect to any interactions with Paxos systems made in connection with this program. Participation in this program does not create any employment, agency, partnership, or joint venture relationship between you and Paxos. You act solely on your own behalf and at your own risk. By submitting a report, you grant Paxos the rights necessary to investigate, mitigate, and disclose the vulnerability.