Pacifica Bug Bounty Program

Pacifica is committed to maintaining the highest standards of security. We invite security researchers to identify and disclose vulnerabilities in a constructive and responsible manner and help us protect our users, infrastructure, and ecosystem.

Pacifica Bug Bounty Program Rules

  1. Please submit a clear and detailed report with reproducible steps via email to [email protected] or open a ticket on Pacifica's Discord.

  2. If we cannot reproduce the issue from your submission, it will not qualify for a reward.

  3. Social engineering attacks (e.g., phishing) against Pacifica employees or community members are strictly prohibited.

  4. Please make a good faith effort to avoid privacy violations, data loss, service degradation, or interruptions.

  5. Actions that negatively impact the availability of Pacifica services (e.g., DoS/DDoS) are not allowed.

  6. The bug bounty does not pay-out any attacks that directly disrupt services.

Testnet Guidelines

  • If you wish to test asset-related features, please do so on the Pacifica testnet at https://testnet.pacifica.fi

  • For testnet only vulnerabilities not reproducible on mainnet, bounty level will be lowered

  • Not all testnet features are eligible for the program (newly deployed features known by the team to be unstable, for example)

  • Reach out to the team at [email protected] or on Discord for more on using the Pacifica testnet

Bug Bounty Vulnerability Levels

Level
Bounty

Critical

10,000-25,000 USDC

High

2,500-10,000 USDC

Medium

500-2,500 USDC

Low

500 USDC

How are the various levels of bugs/vulnerabilities defined?

To ensure consistent triage and fair rewards, vulnerabilities are classified into Critical, High, Medium, and Low categories. The following descriptions serve as a guide, and are not exhaustive:

Critical Vulnerabilities

Critical issues directly compromise Pacifica’s core systems, infrastructure, or smart contracts in ways that could result in the safety of user deposits or core systems on Pacifica being compromised.

High-Risk Vulnerabilities

High-risk issues compromise system integrity, sensitive data, or critical business logic, but with limited impact relative to Critical Vulnerabilities.

Medium-Risk Vulnerabilities

Medium-risk issues impact user accounts, degrade service, or allow targeted exploitation, but do not put the entire system or core contracts at risk.

Low-Risk Vulnerabilities

Low-risk issues generally require user interaction, have limited impact, or only reveal non-critical information.

Submission Process

  • Consolidate your findings neatly in writing that includes the following:

    • A clear description of the bug/issue.

    • Step-by-step instructions on reproducing the issue on our end.

    • Proof-of-concept (PoC) or exploit script (if applicable).

  • Send reports to: [email protected] (flag any such reports as [important] or [urgent].

  • Alternatively, reach out to the team on Discord by opening a ticket.

  • Include impact assessment and suggested remediation steps

  • Provide screenshots, videos, or other evidence to support your findings if applicable

Important Guidelines:

  • If the same vulnerability is reported by multiple researchers, the first complete submission will be rewarded

  • Submit one vulnerability per report, unless chaining vulnerabilities is necessary to demonstrate real impact.

  • Multiple vulnerabilities that stem from a single root cause will be treated as one bounty.

  • Rewards are paid in USDC to the submitter's Pacifica account for responsible disclosure of bugs after assessment by the Pacifica team.

  • All research must be conducted ethically and responsibly in accordance to the rules of the Pacifica bug bounty program.

Prohibited Activity

The following activities are strictly prohibited, and will result in a report becoming ineligible for the bug bounty and/or further investigation and legal action.

  • Direct testing on the Pacifica mainnet in a manner that results in/may result in service disruption or data loss. All attempts must be done on Pacifica Testnet.

  • Any phishing, social engineering, or physical security attacks.

  • Denial-of-Service (DoS) or large-scale DDoS attacks.

  • Testing third-party apps (SSO providers, wallets, browser extensions) outside Pacifica's control.

  • Violating user privacy or accessing accounts belonging to others without consent.

  • Public disclosure of vulnerabilities prior to their resolution without consent or authorization.

  • Threats, ransom demands, or publishing sensitive data without consent.

  • Exploiting vulnerabilities for personal financial gain beyond bug bounty rewards.

Eligibility

  • Reports must be submitted to Pacifica team directly via email or Discord. Others are not accepted.

  • You must comply with KYC verification to be eligible for any bug bounty rewards and to be able to receive USDC payouts on Pacifica.

  • You must maintain strict confidentiality about discovered vulnerabilities until authorized disclosure.

The following are NOT eligible for the bug bounty program:

  • UI/UX bugs without security implications.

  • Reports without sufficient detail, reproducible steps, or PoC.

  • Vulnerabilities requiring highly improbable user actions, unrealistic market conditions or social engineering.

  • Issues in outdated browsers, plugins, or operating systems not supported by Pacifica.

  • Vulnerabilities requiring physical access to user devices.

  • Bugs in third-party libraries or services that don't create direct risk to Pacifica users.

  • Non-security related bugs such as cosmetic issues or minor functional problems.

  • Theoretical vulnerabilities without demonstrable security impact.

All submissions must meet program requirements to be eligible for rewards. Pacifica reserves full discretion in classifying reported issues and determining payout amounts. By submitting a report, you acknowledge that it becomes the property of Pacifica, and we may use, modify, or disclose the information as necessary to improve the security of our platform.

In return, Pacifica is committed to treating researchers with respect and fairness. We will investigate all valid reports promptly, provide clear reasoning behind our classifications, and reward based on the severity of the issue. Most importantly, we will pursue legal action against those who conduct research in good faith.

PreviousError CodesNextAudits

Last updated