Email: [email protected]
Do not open public issues for security vulnerabilities.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Initial response: 48 hours
- Status update: 7 days
- Fix timeline: Depends on severity
| Version | Supported |
|---|---|
| 1.x | Yes |
| < 1.0 | No |
- Fail-closed design (unauthorized requests return 402)
- Payment replay prevention
- Transaction age validation (7 day limit)
- Minimum payment threshold ($0.10)
- No credential storage
- Read-only RPC operations
- Keep dependencies updated
- Use environment variables for secrets
- Enable rate limiting
- Monitor payment activity
- Never commit
.envfiles - Validate all inputs
- Use type hints and Pydantic models
- Run security linters before commits
- Third-party dependency
- User addresses visible to PayAI
- Automatic fallback to native on outage
- Provider rate limits apply
- Use dedicated providers with SLAs
- Implement caching where appropriate
Scope: Solana programs (kamiyo, mitama), ZK circuits, EVM contracts.
| Severity | Bounty | Example |
|---|---|---|
| Critical | Up to $5,000 | Fund drain, unauthorized withdrawals |
| High | Up to $2,000 | Logic errors affecting user funds |
| Medium | Up to $500 | DoS, griefing attacks |
| Low | $100 | Informational, best practices |
Exclusions:
- Frontend/UI issues
- Third-party dependencies (unless in scope)
- Known issues documented in code
Contact: [email protected]