Paxos has launched a $1 million bug bounty program to invite global security researchers to identify critical flaws across its crypto and web infrastructure.
Key Takeaways
- Paxos commits $1 million to reward researchers for discovering high impact vulnerabilities.
- Program covers PYUSD, PAXG, USDG smart contracts along with Web2 systems like APIs and domains.
- Top reward reaches $1 million for critical findings affecting core infrastructure.
- Initial rollout is invite only via Cantina, with plans to expand access later.
What Happened?
Paxos announced a major bug bounty initiative on the Cantina platform, aiming to strengthen its infrastructure by inviting security experts to test its systems. The program spans both blockchain-based assets and traditional web services, reflecting a broader security approach.
The move follows Paxos’s earlier commitment to the Aave and LlamaRisk communities when it launched USDG on Aave v3, reinforcing its promise to expand external security testing.
Today, we’re thrilled to launch the $1,000,000 bug bounty program in partnership with @Paxos.
— Cantina 🪐 (@cantinaxyz) March 27, 2026
Operating in a highly regulated environment demands rigorous security, and Paxos is setting the gold standard for engineering excellence.
We’re here for it 🪐 pic.twitter.com/Ni3aSsvJPI
Paxos Expands Security Efforts With $1M Incentive
Paxos is putting serious money behind its security strategy. The company has committed $1,000,000 in rewards, with the highest payout reserved for vulnerabilities that could significantly impact its systems.
This is not just a symbolic initiative. Paxos is actively encouraging top tier security researchers to deeply analyze its infrastructure and uncover hidden risks. Rewards will be paid in Paxos issued stablecoins, aligning incentives with its ecosystem.
The company currently manages over $8 billion in issued tokens, making security a critical priority as it operates under high regulatory standards, including holding an OCC national trust charter.
Wide Scope Across Web2 and Web3 Systems
Unlike many crypto bug bounty programs that focus only on smart contracts, Paxos has taken a more comprehensive approach.
The scope includes:
- Web3 systems, such as smart contracts for PYUSD, PAXG, and USDG, along with cross-chain infrastructure.
- Web2 components, including public facing products, APIs, and domains.
This broader scope reflects how real world attackers operate, targeting multiple layers of infrastructure rather than isolated components.
By covering both environments, Paxos aims to identify edge cases and complex vulnerabilities that may otherwise go unnoticed in traditional audits.
Partnership With Cantina and Initial Invite Only Access
The bug bounty program is being launched on Cantina, a platform known for its Web3 focused security researcher community.
During the initial rollout phase, participation is limited to an invite only group of researchers already active on Cantina. Paxos plans to gradually open the program to a wider audience after this early phase.
Eric, Paxos Chief Information Security Officer, explained the choice of platform, stating:
Researchers who are not yet part of the network can request access through the program page as Paxos prepares for broader participation.
Delivering on Security Commitments
The launch also fulfills Paxos’s earlier assurances made during the rollout of USDG on Aave v3. At the time, the company committed to enhancing external security validation in collaboration with partners like Aave and LlamaRisk.
This bug bounty program adds another layer to Paxos’s existing security framework, which already includes:
- Design and code reviews
- Third party audits
- Penetration testing
- Red teaming exercises
Together, these efforts aim to continuously test and strengthen Paxos’s infrastructure against evolving threats.
CoinLaw’s Takeaway
I see this as a strong and necessary move by Paxos. In my experience, security in crypto is often reactive, but this feels proactive and serious. Offering a full $1 million reward signals that Paxos understands the stakes, especially with billions in assets under management.
What stands out to me is the expanded scope beyond smart contracts. I found that many projects ignore Web2 vulnerabilities, even though attackers rarely limit themselves to blockchain code. Paxos addressing both layers shows maturity and real world awareness.
If more firms follow this model, it could raise the overall security standard across the crypto industry.
