The bug bounty is limited to the Phantom browser extension available on Chrome, Firefox, Brave and Edge. The Phantom website or other general Phantom infrastructure is not within scope.
We are limiting the scope of the bounty to bugs that lead to the loss of user funds, which may be due to:
- The funds being stolen by an attacker through transactions, or leaking of the Secret Recovery Phrase.
- The funds being frozen or locked within the wallet, and otherwise irrecoverable.
- Entire accounts being irrecoverable using existing flows in the app.
We are offering a reward of up to $50,000. Happy hunting!
We follow many of the bug bounty rules that the Ethereum Foundation does:
- Decisions on the eligibility and size of a reward are the sole discretion of Phantom.
- Any disclosure of a vulnerability to the public or other third parties (such as the media) before Phantom makes it public will disqualify the bounty. Issues must be privately submitted to firstname.lastname@example.org.
- Issues must be new to the team. They can’t have already been identified by another user or by an audit.
- No employees, contractors or others with current or prior commercial relationships with Phantom are eligible for rewards. This includes auditors used by Phantom.
- Provide the steps required to demonstrate an issue. If we cannot reproduce an issue we will not be able to reward it.
The size of the bounty will vary depending on the severity of the issue discovered. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood.
Decisions on the eligibility and size of a reward are guided by the rules above, but are, in the end, determined at the sole discretion of Phantom.
- Critical: up to $50,000
- High: up to $25,000
- Medium: up to $10,000
- Low: up to $2,000
In addition to severity, other variables are also considered when Phantom evaluates the eligibility and size of a bounty, including (but not limited to):
- Quality of description: Higher rewards are paid for clear, well-written submissions.
- Quality of reproducibility: Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
- Quality of fix, if included: Higher rewards are paid for submissions with clear description of how to fix the issue.
- Give us time to investigate anything you report before sharing it publicly or with others.
- (And hopefully this goes without saying) don’t exploit an issue if you find one.
- Try wherever possible to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Bug bounty submission process
By submitting your report, you grant Phantom any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.
The terms and conditions may be altered at any time.