Today we’re launching the public Paxos Bug Bounty Program. We’re excited to formalize our program with one of the leaders in Web3-focused bounty platforms, Cantina. 

Paxos has always had robust programs around design and code reviews, third-party audits, penetration tests and red teaming. Bug bounties create an additional platform with which researchers who identify an edge case can be rewarded for their findings

This program shows our dedication to security and delivers on a commitment we made to Aave, LlamaRisk and the community at large when USDG launched on Aave v3. 

Up to $1M paid in USDG for critical findings 

We set the top bounty at $1,000,000 paid in USDG because we want the incentives to match the value at stake. If a researcher uncovers something high impact and critical to the security of our infrastructure, the responsible disclosure is worth a reward. The program is not a formality, and we want the best researchers in the world going deep.

The program covers both Web2 and Web3 targets. On the smart contract side, all of our major contracts are in scope, including USDG, PYUSD, PAXG and those that power the underlying infrastructure like cross-chain movements. On the Web2 side, we’re including our public products and services, APIs and domains. It was important to us to scope this program widely to reflect what attackers target and how they move.

For the first few months, the program is invitation-only, open to researchers already active in the Cantina network. We chose Cantina for their web3-native focus and a researcher community with the niche expertise to assess our contracts and services holistically, with context for our unique threat surface. 

Security researchers interested in joining or reporting vulnerabilities which may or may not be exploitable can request access through the program page.

Paxos is growing its security team. If you're interested in building from the inside, explore open roles here.