• Smart contracts deployed by Pixpel (Launchpad, DEX, staking, token-related).
• Web and mobile interfaces of Pixpel.io.
• APIs, integrations, and related backend services.
• NFT Marketplace infrastructure.
• On-chain/off-chain bridging mechanisms operated by Pixpel.

Out of Scope:

• Attacks on third-party projects launched via the Pixpel Launchpad (Developers are solely responsible).
• Vulnerabilities in third-party wallets (e.g., MetaMask) or blockchains (Ethereum, SKALE).
• Physical attacks, phishing, social engineering of Pixpel staff or community.
• Denial of Service (DoS) attacks or spam.

• Promptly report vulnerabilities to security@pixpel.io.
• Provide sufficient details to reproduce and validate the vulnerability.
• Allow a reasonable time for Pixpel to investigate and remediate before public disclosure.
• Avoid exploiting the vulnerability for personal gain, including stealing funds, data, or disrupting the Platform.
• Not disclose vulnerability details publicly or to third parties without Pixpel’s written approval.

• Are the first to report a previously unknown vulnerability.
• Have not exploited the vulnerability beyond what is necessary to prove its existence.
• Are not a current or former Pixpel employee or contractor reporting issues within scope of employment.
• Are not subject to sanctions or legal restrictions preventing you from receiving rewards.

• Rewards are discretionary and based on the severity, impact, and exploitability of the vulnerability.
• Severity is classified according to CVSS v3.1 standards:
• 1. Critical: Up to USD $50,000 equivalent in PIXP tokens.
• 2. High: Up to USD $20,000 equivalent in PIXP tokens.
• 3. Medium: Up to USD $5,000 equivalent in PIXP tokens.
• 4. Low: Up to USD $1,000 equivalent in PIXP tokens.
• Pixpel may adjust rewards based on duplication, quality of report, and alignment with community risk.
• Rewards are paid in PIXP, USDT, or USDC, at Pixpel's discretion.

• Activities conducted in accordance with this Policy are considered authorized and legal under applicable anti-hacking laws.
• Pixpel will not pursue legal action against researchers who comply with this Policy.
• If a third party initiates legal action, Pixpel will make it clear that your actions were conducted under this Policy.

• Outdated libraries or software without demonstrable exploit.
• Best-practice recommendations without a clear vulnerability.
• Clickjacking, lack of rate-limiting, or generic denial of service.
• Publicly known issues without functional proof-of-concept.
• Reports not submitted through the proper channel (security@pixpel.io).

• 1. Send report to security@pixpel.io with subject line “Bug Bounty Report – [short title]”.
• 2. Include:
• Affected system (smart contract address, URL, API).
• Detailed description of the issue.
• Steps to reproduce and proof-of-concept (screenshots, transaction hash, code snippet).
• Potential impact and severity assessment.
• 1. Pixpel will acknowledge within 7 business days.
• 2. Pixpel will provide updates during remediation.
• 3. Once fixed, Pixpel may grant a reward and invite coordinated disclosure.

• Eligible researchers may, with Pixpel’s consent, be publicly recognized on a Hall of Fame page.
• Researchers may remain anonymous if preferred.

• By participating, you agree that Pixpel's decision on eligibility, reward amount, and severity classification is final.
• Pixpel reserves the right to amend or terminate this Policy at any time.
• This Policy does not create contractual or employment rights between you and Pixpel.