If you believe you have found a security vulnerability in any Polygon-owned repository, please report it through one of the following channels:
| Scope | Channel | Link |
|---|---|---|
| All reports | GitHub Private Vulnerability Reporting | Use the "Report a vulnerability" button in the Security tab of the affected repository |
| Smart Contracts & Blockchain | Immunefi Bug Bounty | https://immunefi.com/bounty/polygon |
| Websites & Applications | HackerOne Bug Bounty | https://hackerone.com/polygon-technology |
Prefer the Bug Bounty programs when your finding is in scope — they offer structured triage, communication, and rewards. Use GitHub Private Vulnerability Reporting for issues that fall outside the bounty programs or when you are unsure which program applies.
To help us triage and respond quickly, please provide:
- A description of the vulnerability and its potential impact
- Detailed steps to reproduce the issue, including any tools, scripts, or transaction hashes
- Affected component(s) — contract addresses, repository names, URLs, or API endpoints
- Any proof-of-concept code or screenshots
- Your assessment of severity (Critical / High / Medium / Low)
We are committed to working with security researchers and aim to meet the following targets:
| Stage | Target |
|---|---|
| Initial acknowledgment | Within 24 hours |
| Triage and severity assessment | Within 3 business days |
| Status update to reporter | Within 7 business days |
| Resolution (varies by complexity) | Typically 30–90 days |
We will keep you informed of our progress throughout the process. If you have not received an acknowledgment within 48 hours, please follow up through the same channel you used to submit the report.
We follow a coordinated disclosure process:
- The reporter submits the vulnerability through one of our reporting channels.
- Our security team triages, validates, and works on a fix.
- We coordinate a disclosure timeline with the reporter — typically 90 days from the initial report, or sooner once a fix is deployed.
- A public advisory is published after the fix has been released and users have had reasonable time to update.
We ask that reporters:
- Give us reasonable time to address the issue before any public disclosure
- Make a good-faith effort to avoid privacy violations, data destruction, or disruption of services
- Do not access or modify other users' data without explicit permission
We value the security community and gratefully acknowledge researchers who help us keep Polygon safe. With your permission, we will credit you in our security advisories.
Bounty amounts and eligibility criteria are defined on each respective platform. Please refer to the specific program pages for current reward tiers and rules:
- Immunefi (Smart Contracts & Blockchain): https://immunefi.com/bounty/polygon
- HackerOne (Websites & Applications): https://hackerone.com/polygon-technology
We accept reports in English and Spanish.
https://polygon.technology/security.txt
Interested in security? Check out open positions at https://polygon.technology/careers
For general security inquiries (not vulnerability reports), reach us at security@polygon.technology.