Bug bounty programs

Report security vulnerabilities in Polygon infrastructure and earn rewards through our official bug bounty programs.

Security researchers play a vital role in keeping Polygon's ecosystem safe. Polygon Labs maintains multiple bug bounty programs across leading security platforms, offering rewards of up to $1,000,000 for critical vulnerabilities.

Before submitting a report, review each program's scope and rules carefully. Out-of-scope submissions may not qualify for rewards.

Active programs

Agglayer smart contracts

Platform: Cantina
Scope: Agglayer smart contracts and Vault Bridge infrastructure
Rewards: Up to $1,000,000 for critical findings

View program on Cantina →

Polygon PoS chain

Platform: Immunefi
Scope: Bor client, Heimdall consensus layer, bridge contracts, and staking smart contracts
Rewards: Up to $1,000,000 for critical findings

View program on Immunefi →

Websites and applications

Platform: HackerOne
Scope: Websites, web applications, and APIs related to Polygon Labs developed products
Rewards: Varies by severity

View program on HackerOne →

Submission guidelines

Review the scope — Each program has specific in-scope and out-of-scope targets. Make sure your finding falls within the program's scope.
Check for duplicates — Search existing reports to avoid submitting known issues.
Provide clear details — Include steps to reproduce, impact assessment, and any proof-of-concept code.
Follow responsible disclosure — Do not publicly disclose vulnerabilities before they are resolved.

Other ways to report

If your finding doesn't fit into any of the above programs, or if you prefer to report directly, please see our responsible disclosure page for instructions on how to securely contact our security team.

Security overview — Learn about Polygon Labs' security practices
Security reports — View public security audits and assessments
Contact security team — Direct contact information