Pyth operates a self hosted bug bounty program to financially incentivize independent researchers (with up to $500,000 USDC) for finding and responsibly disclosing security issues.
- Scopes
- Rewards
- Critical: Up to $500,000
- High: Up to $100,000
If you find a security issue in Pyth, please report the issue immediately to our security team.
If there is a duplicate report, either the same reporter or different reporters, the first of the two by timestamp will be accepted as the official bug report and will be subject to the specific terms of the submitting program.
We engage 3rd party firms to conduct independent security audits of Pyth. At any given time, we likely have multiple audit streams in progress.
As these 3rd party audits are completed and issues are sufficiently addressed, we make those audit reports public.
- April 27, 2022 - Zellic
- Scope: pyth-crosschain (formerly known as pyth2wormhole))
- October 10, 2022 - OtterSec
- Scope: pyth-crosschain-aptos contracts
- November 01, 2022 - Zellic
- Scope: pyth-crosschain-evm contracts
- December 12, 2022 - Ottersec
- Scope: pyth-crosschain-sui contracts
- December 13, 2022 - CertiK
- Scope: pyth-crosschain-governance contracts
- December 13, 2022 - CertiK
- Scope: pyth-crosschain-solana contracts
- February 23, 2023 - CertiK
- Scope: pyth-crosschain-evm contracts
- March 14, 2023 - Zellic
- Scope: pyth-crosschain-cosmwasm contracts
- July 10, 2023 - Zellic
- Scope: pyth-crosschain-evm contracts
- July 24, 2023 - Zellic
- Scope: pyth-crosschain-cosmwasm/aptos/sui contracts
- July 31, 2023 - Trail of Bits
- Scope: pyth-crosschain pythnet validator, message_buffer/remote_executor/oracle contracts, merkle tree library, xc_admin_frontend
- January 18, 2024 - Trail of Bits
- Scope: pyth-crosschain-entropy contracts and fortuna web service
- April 25, 2024 - Ottersec
- Scope: pyth-crosschain-solana contracts
- July 12, 2024 - Nethermind
- Scope: pyth-crosschain-starknet contracts
The Pyth project maintains a social media monitoring program to stay abreast of important ecosystem developments.
These developments include monitoring services like Twitter for key phrases and patterns such that the Pyth project is informed of a compromise or vulnerability in a dependency that could negatively affect Pyth or its users.
In the case of a large ecosystem development that requires response, the Pyth project will engage its security incident response program.
The Pyth project maintains an incident response program to respond to vulnerabilities or active threats to Pyth, its users, or the ecosystems it's connected to. Pyth can be made aware about a security event from a variety of different sources (eg. bug bounty program, audit finding, security monitoring, social media, etc.)
When a Pyth project contributor becomes aware of a security event, that contributor immediately holds the role of incident commander for the issue until they hand off to a more appropriate incident commander. A contributor does not need to be a "security person" or have any special privileges to hold the role of incident commander, they simply need to be responsible, communicate effectively, and maintain the following obligations to manage the incident to completion.
The role of the incident commander for Pyth includes the following minimum obligations:
- Understand what is going on, the severity, and advance the state of the incident.
- Identify and contact the relevant responders needed to address the issue.
- Identify what actions are needed for containment (eg. security patch, contracts deployed, governance ceremony).
- Establish a dedicated real-time communication channel for responders to coordinate (eg. Slack, Telegram, Signal, or Zoom).
- Establish a private incident document, where the problem, timeline, actions, artifacts, lessons learned, etc. can be tracked and shared with responders.
- When an incident is over, host a retrospective with key responders to understand how things could be handled better in the future (this is a no blame session, the goal is objectively about improving Pyth's readiness and response capability in the future).
- Create issues in relevant ticket trackers for actions based on lessons learned.