Fashion choices aren’t typically part of our job descriptions.
But, here’s a big exception.
CALLING ALL WHITE HATS.
Help Pyth protect real-time on-chain market data (and get a very big bug bounty - like, $500,000 USDC big). Keep scrolling to learn all about the details.
submit a bugAlright, let’s talk about the bounty.
Payout Structure
Critical
Up to $500,000High
Up to $100,000
What’s in-scope versus out-of-scope?
In-Scope-Assets
Out-of-Scope Assets
Attacks that the reporter has already exploited themselves, leading to damage
Pyth is an open-source project with open development. We welcome feedback and PRs on features that are in development. Code that has not been deployed is generally out-of-scope.
Reports regarding bugs that the Pyth project was previously aware of are not eligible for a reward
The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, persons in possession of privileged information, and all associated parties
Now, let’s talk about what’s required for submission.
All reports must come with sufficient explanation and data to easily reproduce the bug, e.g. through a proof-of-concept.
All rewards are decided on a case-by-case basis, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself if it is nondeterministic or some of the conditions are not present at the time. The rewards presented in the payout structure above are the maximum rewards and there are no minimum rewards.
Rewards for bugs in dependencies and third-party code are at the discretion of the Pyth team and will be based on the impact demonstrated on Pyth. If the dependency has its own bug bounty program, you are expected to report the issue to the relevant bug bounty program. If the dependency doesn’t have its own bug bounty program, any reward will be at the full discretion of the Pyth Data Association.
And what activities are prohibited…
Any testing with mainnet or public testnets; all testing should be done on private nets
Public disclosure of a vulnerability before an embargo has been lifted
Any testing on Mainnet with third party smart contracts or infrastructure and websites
Attempting phishing or other social engineering attacks against our employees and/or customers
Any denial of service attacks
Automated testing of services that generates significant amounts of traffic
Any activity that violates any law or disrupts or compromises any data or property that is not your own.
Some bug examples organized by severity…
Critical
Arbitrarily manipulate Pyth oracle prices or other published values
Assume ownership of Pyth’s contracts in mainnet
Locking, loss, or theft of funds staked on Pyth
High
Software flaws in the on-chain program cause Pyth to publish an inaccurate price when ≥ 3/4 of the contributing publishers are accurate.
Flaws enabling denial-of-service attacks for public-facing APIs
Remote code execution
Exposure of private keys for Pyth publishers or permissionless services
And lastly, a bit of fine print…
Pyth Data Association will maintain full discretion of the payouts for vulnerabilities. We do encourage bug reporters to submit issues outside of the above-mentioned payout structure, though we want to be clear that we’ll exercise discretion on a case-by-case basis -- whether an issue warrants a payout and what that ultimate payout may be.
Additionally, for a bug report to be paid, we do require the bug reporter to comply with our KYC requirements.
This includes the following:
Wallet address where you’ll receive payment
Proof of address (either a redacted bank statement with your address or a recent utility bill with your name, address, and issuer of the bill)
If you are a U.S. person, please send us a filled-out and signed W-9
If you are not a U.S. person, please send us a filled-out and signed W-8BEN
Copy of your passport will be required.
These details will only be required upon determining that a bug report will be rewarded and such details will remain strictly confidential within need-to-know individuals (basically, only individuals required to verify KYC and process the payment).
