Paxos Bug Bounty

Paxos Bug Bounty

@paxos
Live

Maximum reward

1,000,000 USDG

Severity

Max. Reward

Critical

1,000,000 USDG

High

250,000 USDG

Medium

25,000 USDG

Low

5,000 USDG

Deposit required

$20

Findings submitted

2

Start date

27 Mar 2026

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Core Smart ContractsWeb Interface / Application / Backend

Severity

Min and Max Reward

Critical

Up to 50,000 USDG

High

Up to 15,000 USDG

Medium

Up to 5,000 USDG

Low

Up to 1,000 USDG

In-scope web interfaces, APIs, and services

Production Web Interfaces

Production web UI interfaces

Name
Description
Asset
Dashboard UI (Prod)

The primary Paxos platform for institutional customers, providing access to stablecoin minting/redemption, account management, API credential configuration, and asset movement workflows.

https://dashboard.paxos.com

Account UI (Prod)

The Paxos Wallet UI, a legacy (sunsetting 2026) platform primarily used by individual account holders for stablecoin redemption and PAXG access.

https://account.paxos.com

Admin UI (Prod)

Paxos administrative portal

https://pax-admin.paxos.com

Sandbox Web Interfaces

Sandbox web UI interfaces (customer-accessible)

Name
Description
Asset
Dashboard UI (Sandbox)

The sandbox version of the Paxos Dashboard, allowing developers and customers to test API integrations, mock fiat transfers, and simulate asset movement workflows using test funds before going to production.

https://dashboard.sandbox.paxos.com

Account UI (Sandbox)

The sandbox version of the Wallet UI, providing a test environment for individual account flows like stablecoin redemption in a non-production setting.

https://account.sandbox.paxos.com

Admin UI (Sandbox)

Customer accessible sandbox of Paxos administrative portal

https://pax-admin.sandbox.paxos.com

Production API Endpoints

Production API endpoints

Name
Description
Asset
API (Prod)

Primary Paxos REST API (v2), providing programmatic access to Crypto Brokerage, Trading, Exchange, Stablecoin, Payments, and Settlement products.

https://api.paxos.com

Auth API (Prod)

The authentication API supporting request signing

https://auth-api.paxos.com

OAuth (Prod)

The OAuth 2.0 token endpoint used to authenticate API clients via the client credentials grant flow.

https://oauth.paxos.com

WebSocket (Prod)

The WebSocket API providing real-time streaming data over secure wss:// connections, including Market Data and Execution Data feeds.

https://ws.paxos.com

Sandbox API Endpoints

Sandbox API endpoints (customer-accessible)

Name
Description
Asset
API (Sandbox)

The sandbox version of the Paxos REST API, replicating core v2 functionality with test funds for integration testing.

https://api.sandbox.paxos.com

Auth API (Sandbox)

The sandbox equivalent of the authentication/request-signing API for testing JWS request-signing implementation.

https://auth-api.sandbox.paxos.com

OAuth (Sandbox)

The sandbox OAuth 2.0 token endpoint for obtaining test access tokens for integration development.

https://oauth.sandbox.paxos.com

WebSocket (Sandbox)

The sandbox WebSocket API, streaming simulated market data and execution feeds for testing.

https://ws.sandbox.paxos.com

Production FIX Protocol

Production FIX protocol (stunnel connect)

Name
Description
Asset
{comp_id}.exchange.gfix.prod.itbitprod.com:4198

Production FIX 4.2 gateway for the Paxos/itBit exchange. Institutional clients connect over mTLS on port 4198 to submit/cancel orders, receive execution reports, and stream market data.

{com…4198

TLS verification host (checkHost / certificate CN)

Paxos leaf certificate that your TLS client (or Stunnel checkHost parameter) must verify during the mTLS handshake.

gfix….com

Sandbox FIX Protocol

Sandbox FIX protocol (customer-accessible, stunnel connect)

Name
Description
Asset
{comp_id}.exchange.gfix.sandbox.itbitprod.com:4198

Sandbox FIX 4.2 gateway, mirroring production with test funds for Stunnel/mTLS setup, FIX session validation, and integration certification.

{com…4198

TLS verification host (checkHost / certificate CN)

TLS verification hostname for the sandbox FIX environment, used in Stunnel checkHost or certificate validation logic.

gfix….com

Domain

Main domain

Name
Description
Asset
Main domain

Main Paxos website

https://paxos.com

Out of scope

• Any repo, site, service, product, API, or resource not explicitly listed in the in-scope targets.

• All items listed at https://docs.cantina.xyz/evaluations-and-standards/severity-classifications/bug-bounty-finding-severity#out-of-scope