The bug bounty is limited to the Phantom browser extension and the Phantom mobile app available on iOS and Android. The Phantom website or other general Phantom infrastructure is not within scope.
We are limiting the scope of the bounty to bugs that lead to the loss of user funds, which may be due to:
- The funds being stolen by an attacker through transactions, or leaking of the Secret Recovery Phrase.
- The funds being frozen or locked within the wallet, and otherwise irrecoverable.
- Entire accounts being irrecoverable using existing flows in the app.
We are offering a reward of up to $50,000. Happy hunting!
- Decisions on the eligibility and size of a reward are the sole discretion of Phantom.
- Any disclosure of a vulnerability to the public or other third parties (such as the media) before Phantom makes it public will disqualify the bounty. Issues must be privately submitted to [email protected].
- We are looking for novel vulnerabilities: your contributions help us address vulnerabilities we did not discover during the development process or do not already know about. If you are the first external researcher to identify a vulnerability we already know about and are working to fix, you may still be eligible for a bounty award if there is new information within your report that we were previously not aware of.
- Provide the steps required to demonstrate an issue. If we cannot reproduce an issue we will not be able to reward it. Submissions that contain steps to reproduce your proof of concept along with a detailed analysis are eligible for quicker awards because they help us quickly assess the risk posed by a vulnerability.
- When reporting vulnerabilities, please consider the attack scenario / exploitability, and the security impact of the bug
- Avoid harm to member data, privacy, and service availability: Since security research may depend on services that our members use and depend on, avoid research that violates member privacy, destroys data, or interrupts service. If you discover confidential member data while researching, stop and contact us immediately so we can work with you to address the issue.
- No employees, contractors or others with current or prior commercial relationships with Phantom are eligible for rewards. This includes auditors used by Phantom.
The size of the bounty will vary depending on the severity of the issue discovered. The severity is calculated according to the CVSS (the Common Vulnerability Scoring Standard) and to the estimate Impact and Likelihood.
Decisions on the eligibility and size of a reward are guided by the rules above, but are, in the end, determined at the sole discretion of Phantom. We intend to pay out fairly for reports that have a realistic impact.
- Critical: up to $50,000
- High: up to $25,000
- Medium: up to $10,000
- Low: up to $2,000
In addition to severity, other variables are also considered when Phantom evaluates the eligibility and size of a bounty, including (but not limited to):
- Quality of description: Higher rewards are paid for clear, well-written submissions.
- Quality of reproducibility: Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
- Quality of fix, if included: Higher rewards are paid for submissions with clear description of how to fix the issue.
- Give us time to investigate anything you report before sharing it publicly or with others.
- (And hopefully this goes without saying) don’t exploit an issue if you find one.
- Try wherever possible to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Out of Scope Vulnerabilities
The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Attacks requiring a compromised victim device.
- Previously known vulnerable libraries without a working Proof of Concept or not fixed by the vendor.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or brute-force issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Tabnabbing will be awarded on a case by case basis
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
Bug bounty submission process
For submissions, email [email protected]. For questions or issues regarding Phantom, visit help.phantom.app.
By submitting your report, you grant Phantom any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.
The terms and conditions may be altered at any time.