Security reports
View public security audits, penetration tests, and certifications for Polygon infrastructure and applications.
Polygon Labs periodically assesses the security of different technology and applications through extensive internal testing and external engagements, including code reviews, security audits, red team assessments, and penetration testing. All technology and applications have been assessed multiple times to date. Security assessments continue as the network matures.
The following information relates to the latest available public external assessments and certifications. For questions about security assessments, contact the security team.
Certifications
ISO/IEC 27001:2022
Polygon Labs is certified since March 2024.
Certificate: Schellman Certificate Directory (search for "Polygon Labs")
Scope: The scope of the ISO/IEC 27001:2022 certification is limited to the information security management system (ISMS) supporting Polygon Labs’ business of designing and developing blockchain scaling and interoperability solutions, including Polygon PoS Chain, Polygon CDK, and Agglayer, and in accordance with the statement of applicability, version 1.3, dated October 6, 2025.
Polygon PoS chain
Bor and Heimdall
| Auditor | Type | Report |
|---|---|---|
| Informal Systems | Security audit | View on GitHub |
Bridge and staking contracts
| Auditor | Type | Report |
|---|---|---|
| Multiple | Security audits | PoS Portal audits |
| Multiple | Security audits | PoS contracts audits |
POL token
| Auditor | Type | Report |
|---|---|---|
| ChainSecurity | Security audit | View on GitHub |
| SigmaPrime | Security audit | View on GitHub |
Agglayer
Agglayer Smart contracts
| Auditor | Type | Report |
|---|---|---|
| Sigma Prime | Security audit | View on GitHub |
| Hexens | Security audit | View on GitHub |
| Spearbit | Security audit | View on GitHub |
Vault Bridge Smart contracts
| Auditor | Type | Report |
|---|---|---|
| Sigma Prime | Security audit | View on GitHub |
| Certora | Security audit | View on GitHub |
CDK
Most CDK components have been reviewed as part of zkEVM's audits.
| Component | Auditor | Type | Date |
|---|---|---|---|
| Bridge service | Cobalt.io | Penetration test | March 2025 |
| Bridge UI | Cobalt.io | Penetration test | March 2025 |
Zero
| Auditor | Type | Report |
|---|---|---|
| Least Authority | Security audit | View on GitHub |
zkEVM
| Auditor | Type | Date | Report |
|---|---|---|---|
| Verichains | zkEVM-Rom audit | January 2023 | View on GitHub |
| Hexens | Security audit | — | View on GitHub |
| Spearbit | Security audit | — | View on GitHub |
Related resources
- Bug bounty programs — Report vulnerabilities and earn rewards
- Responsible disclosure — How to report security issues
- Security overview — Learn about Polygon Labs' security practices
Last updated on