Pyth Bounty

Fashion choices aren’t typically part of our job descriptions.
But, here’s a big exception.

CALLING ALL WHITE HATS.

Help Pyth protect real-time on-chain market data (and get a very big bug bounty - like, $1 million USDC big). Keep scrolling to learn all about the details.

submit a bug

Alright, let’s talk about the bounty.

Payout Structure

Critical
Up to $1,000,000
High
Up to $100,000

What’s in-scope versus out-of-scope?

Out-of-Scope Assets

Attacks that the reporter has already exploited themselves, leading to damage

Pyth is an open-source project with open development. We welcome feedback and PRs on features that are in development. Code that has not been deployed is generally out-of-scope.

Reports regarding bugs that the Pyth project was previously aware of are not eligible for a reward

The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, persons in possession of privileged information, and all associated parties

Now, let’s talk about what’s required for submission.

All reports must come with sufficient explanation and data to easily reproduce the bug, e.g. through a proof-of-concept.

All rewards are decided on a case-by-case basis, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself if it is nondeterministic or some of the conditions are not present at the time. The rewards presented in the payout structure above are the maximum rewards and there are no minimum rewards.

Rewards for bugs in dependencies and third-party code are at the discretion of the Pyth team and will be based on the impact demonstrated on Pyth. If the dependency has its own bug bounty program, you are expected to report the issue to the relevant bug bounty program. If the dependency doesn’t have its own bug bounty program, any reward will be at the full discretion of the Pyth Data Association.

And what activities are prohibited…

Any testing with mainnet or public testnets; all testing should be done on private nets

Public disclosure of a vulnerability before an embargo has been lifted

Any testing on Mainnet with third party smart contracts or infrastructure and websites

Attempting phishing or other social engineering attacks against our employees and/or customers

Any denial of service attacks

Automated testing of services that generates significant amounts of traffic

Any activity that violates any law or disrupts or compromises any data or property that is not your own.

Some bug examples organized by severity…

Critical

High

And lastly, a bit of fine print…

Pyth Data Association will maintain full discretion of the payouts for vulnerabilities. We do encourage bug reporters to submit issues outside of the above-mentioned payout structure, though we want to be clear that we’ll exercise discretion on a case-by-case basis -- whether an issue warrants a payout and what that ultimate payout may be.

Additionally, for a bug report to be paid, we do require the bug reporter to comply with our KYC requirements.

This includes the following:

Wallet address where you’ll receive payment

Proof of address (either a redacted bank statement with your address or a recent utility bill with your name, address, and issuer of the bill)

If you are a U.S. person, please send us a filled-out and signed W-9

If you are not a U.S. person, please send us a filled-out and signed W-8BEN

Copy of your passport will be required.

These details will only be required upon determining that a bug report will be rewarded and such details will remain strictly confidential within need-to-know individuals (basically, only individuals required to verify KYC and process the payment).

And that’s it! Happy hunting!

submit a bug