Active programs
Agglayer smart contracts
Platform: Cantina Scope: Agglayer smart contracts and Vault Bridge infrastructure Rewards: Up to $1,000,000 for critical findings View program on Cantina →Polygon PoS chain
Platform: Immunefi Scope: Bor client, Heimdall consensus layer, bridge contracts, and staking smart contracts Rewards: Up to $1,000,000 for critical findings View program on Immunefi →Websites and applications
Platform: HackerOne Scope: Websites, web applications, and APIs related to Polygon Labs developed products Rewards: Varies by severity View program on HackerOne →How to submit a report
Before submitting, review each program’s scope and rules carefully. Out-of-scope submissions may not qualify for rewards.
Review the scope
Each program defines specific in-scope and out-of-scope targets. Confirm your finding falls within the applicable program’s scope before proceeding.
Prepare your report
Include steps to reproduce, an impact assessment, and any proof-of-concept code or evidence.
Other ways to report
If your finding does not fit any of the programs above, or if you prefer to report directly, see the responsible disclosure page for instructions on how to contact the security team securely.Related resources
- Security overview: Polygon Labs’ security practices
- Security reports: Public security audits and assessments
- Contact security team: Direct contact information