Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
Paxos logo
Hall of Fame


100 $ 



Paxos (the "Company") is focused on providing a secure platform. The Company encourages responsible disclosure of security vulnerabilities via our bug bounty program.

To recognize the efforts of hackers disclosing these issues responsibly, the Company will offer a bounty for reporting qualifying security vulnerabilities. Please review the following program rules before reporting a vulnerability. By participating in this program, participants agree to be bound by these rules.

Response Targets

Paxos will make a best effort to meet the following response targets:

  • Time to first response (from report submit) - 5 business days
  • Time to triage (from report submit) - 10 business days
  • Time to bounty (from triage) - 10 business days

Disclosure Policy

  • As this is a private program, do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
  • Follow HackerOne's disclosure guidelines __.

Program Rules

  • Provide detailed reports with reproducible steps. If the report is not detailed enough to enable the Company to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless it is relevant to chain vulnerabilities in order to provide impact.
  • When duplicates occur, the Company will only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Any attempts to breach physical security controls of Company offices or datacenters is prohibited.
  • Avoid privacy violations, destruction of data, and interruption or degradation of the service.
  • Only interact with accounts you own or with explicit permission of the account holder.
  • Participants must comply with all applicable laws in connection with participation in this program.
  • Participants will be responsible for any applicable taxes associated with any reward received.
  • The Company may modify the terms of this program or terminate this program at any time. Changes to program terms will not be applied retroactively.


As a guideline, rewards will based on severity as per the Common Vulnerability Scoring Standard (CVSS). Final reward decisions will be at the discretion of Paxos.

Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9)
$7,500 | $3,000 | $1,000 | $300

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) the attack scenario / exploitability and (2) security impact of the bug.

The following issues will be considered out of scope:

  • Clickjacking on pages with no sensitive actions
  • Unauthenticated/logout/login CSRF
  • Attacks requiring MITM or physical access to a user's device
  • Previously known vulnerable libraries without a working Proof of Concept
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Missing best practices in SSL/TLS configuration
  • Any activity that could lead to the disruption of our service (DoS)
  • Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
  • Email related attacks including spoofing or issues related to SPF, DKIM or DMARC
  • Password and/or account recovery policies (eg, reset link expiration, password complexity)
  • Missing security headers which do not lead directly to a vulnerability
  • Issues related to software or protocols not under Company control
  • Reports from automated tools or scans
  • Vulnerabilities affecting users of outdated browsers or platforms

Safe Harbor

Activities conducted in a manner consistent with this policy will be considered authorized conduct and the Company will not initiate legal action against participants. If legal action is initiated by a third party against a participant in connection with activities conducted under this policy, the Company will take steps to make it known that the participant's actions were conducted in compliance with this policy.

FireBounty © 2015-2019

Legal notices