Paxful, Inc. Bug Bounty Policy

Paxful, Inc. (also referred to as “Paxful,” “we,” “us,” or “our”) takes steps to improve our product and provide secure solutions for our customers. In this Bug Bounty Policy (“Policy”), we describe applicable cases for our Bug Bounty Program and how it should be used in connection with your use of our website at, including, but not limited to, the Paxful Wallet, online bitcoin trading platform, mobile application, social media pages, or other online properties (collectively, the “Website”), or when you use any of the products, services, content, features, technologies, or functions we offer (collectively, the “Services”). This Policy is designed to help you obtain information about how you can participate in our Bug Bounty Program, which secure research results are applicable, and which benefits you can receive. Please note that our Service offerings may vary by region.

What is the Bug Bounty Program?

In order to improve Paxful and the Services, the Paxful Bug Bounty Program provides our users an opportunity to earn a reward for identifying technical issues.

How can you communicate your Bug Bounty Program findings to us?

All such communications should be directed to [email protected]

How do we evaluate issues identified under the Bug Bounty Program?

All findings are evaluated using a risk-based approach.

Non-Disclosure Agreement

Before we begin discussing any details related to confirmed issues that you have identified under the Bug Bounty Program, including compensation, etc., you will be required to enter into a Non-Disclosure Agreement with us.

How do we pay Bug Bounty Program rewards?

All such rewards are paid by Paxful. All rewards can be paid only if they are not contrary to applicable laws and regulations, including but not limited to trade sanctions and economic restrictions.

How long will it take us to analyze your Bug Bounty Program findings?

Due to the varying and complex nature of technical issues, we have not established particular timelines for analyzing findings under the Bug Bounty Program. Our analysis is finished only when we have confirmed the existence or absence of a vulnerability.

What cases are excluded from the Bug Bounty Program?

  • Spam;
  • Social engineering;
  • DDOS attacks;
  • Security vulnerabilities in third-party applications and on third-party websites integrated with Paxful;
  • "Scanner output" or scanner-generated reports;
  • Issues found through automated testing;
  • Publicly-released bugs in Internet software.

More Information

If you are looking for more information regarding this Policy, you may contact us by emailing [email protected]