Paxos (the "Company") is focused on providing a secure platform. The Company
encourages responsible disclosure of security vulnerabilities via our bug
To recognize the efforts of hackers disclosing these issues responsibly, the
Company will offer a bounty for reporting qualifying security vulnerabilities.
Please review the following program rules before reporting a vulnerability. By
participating in this program, participants agree to be bound by these rules.
Paxos will make a best effort to meet the following response targets:
- Time to first response (from report submit) - 5 business days
- Time to triage (from report submit) - 10 business days
- Time to bounty (from triage) - 10 business days
- As this is a private program, do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines __.
- Provide detailed reports with reproducible steps. If the report is not detailed enough to enable the Company to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless it is relevant to chain vulnerabilities in order to provide impact.
- When duplicates occur, the Company will only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Any attempts to breach physical security controls of Company offices or datacenters is prohibited.
- Avoid privacy violations, destruction of data, and interruption or degradation of the service.
- Only interact with accounts you own or with explicit permission of the account holder.
- Participants must comply with all applicable laws in connection with participation in this program.
- Participants will be responsible for any applicable taxes associated with any reward received.
- The Company may modify the terms of this program or terminate this program at any time. Changes to program terms will not be applied retroactively.
As a guideline, rewards will based on severity as per the Common Vulnerability
Scoring Standard (CVSS). Final reward decisions will be at the discretion of
Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 -
$7,500 | $3,000 | $1,000 | $300
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) the attack scenario /
exploitability and (2) security impact of the bug.
The following issues will be considered out of scope:
- Clickjacking on pages with no sensitive actions
- Unauthenticated/logout/login CSRF
- Attacks requiring MITM or physical access to a user's device
- Previously known vulnerable libraries without a working Proof of Concept
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Missing best practices in SSL/TLS configuration
- Any activity that could lead to the disruption of our service (DoS)
- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
- Email related attacks including spoofing or issues related to SPF, DKIM or DMARC
- Password and/or account recovery policies (eg, reset link expiration, password complexity)
- Missing security headers which do not lead directly to a vulnerability
- Issues related to software or protocols not under Company control
- Reports from automated tools or scans
- Vulnerabilities affecting users of outdated browsers or platforms
Activities conducted in a manner consistent with this policy will be
considered authorized conduct and the Company will not initiate legal action
against participants. If legal action is initiated by a third party against a
participant in connection with activities conducted under this policy, the
Company will take steps to make it known that the participant's actions were
conducted in compliance with this policy.