Pyth Network Bug Bounty

About the program

Help Pyth protect real-time on-chain market data (and get a very big bug bounty - like, $500,000 USDC big).

Payout Structure

• Critical: up to $500,000
• High: up to $100,000

What’s in-scope?

• Pyth Oracle
• Pyth Crosschain - Ethereum
• Pyth Governance
• Pyth Crosschain - Aptos

What's out-of-scope?

• Attacks that the reporter has already exploited themselves, leading to damage
• Pyth is an open-source project with open development. We welcome feedback and PRs on features that are in development. Code that has not been deployed is generally out-of-scope.
• Reports regarding bugs that the Pyth project was previously aware of are not eligible for a reward
• The following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, persons in possession of privileged information, and all associated parties

(Details and GitHub links)

What’s required for submission

• All reports must come with sufficient explanation and data to easily reproduce the bug, e.g. through a proof-of-concept.
• All rewards are decided on a case-by-case basis, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself if it is nondeterministic or some of the conditions are not present at the time. The rewards presented in the payout structure above are the maximum rewards and there are no minimum rewards.
• Rewards for bugs in dependencies and third-party code are at the discretion of the Pyth team and will be based on the impact demonstrated on Pyth. If the dependency has its own bug bounty program, you are expected to report the issue to the relevant bug bounty program. If the dependency doesn’t have its own bug bounty program, any reward will be at the full discretion of the Pyth Data Association.

What activities are prohibited

• Any testing with mainnet or public testnets; all testing should be done on private nets
• Public disclosure of a vulnerability before an embargo has been lifted
• Any testing on Mainnet with third party smart contracts or infrastructure and websites
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Any activity that violates any law or disrupts or compromises any data or property that is not your own.