Bug Bounty

We highly value your participation in our bug bounty program, as it plays a vital role in strengthening our security measures. Your dedication to identifying and addressing potential vulnerabilities in our systems is greatly appreciated.

To demonstrate our commitment, we offer a variable pay scale that starts from $50,000 USD for vulnerabilities that directly lead to lose of secret phrase. This serves as an incentive for your valuable contributions and the critical role you play in safeguarding our users' assets.

Outlined below are the scope and guidelines for our bug bounty program, which encompass both our mobile application, browser extension and web services.

Scope

The bug bounty is designed to address security concerns in two primary categories:

1. Vulnerabilities that have the potential to lead to the theft of funds
2. Vulnerabilities associated with the leakage of sensitive information

Therefore, the scope is limited to all web services, APIs, mobile application, and browser extension under the domain

• Phantom for Mobile:
  • iOS
  • Android
• Phantom for Desktop:
  • Chromium-based Browser Extension
  • Firefox Browser Extension
• Domains:
  • *.phantom.dev
  • *.phantom.app
  • Any domain confirmed to be owned by Phantom.

Rules

• Decisions on the eligibility and size of a reward are the sole discretion of Phantom.
• Any disclosure of a vulnerability to the public or other third parties (such as the media) before Phantom makes it public will disqualify the bounty. Issues must be privately submitted to [email protected].
• We are looking for novel vulnerabilities: Your contributions help us address vulnerabilities we did not discover during the development process or do not already know about. If you are the first external researcher to identify a vulnerability we already know about and are working to fix, you may still be eligible for a bounty award if there is new information within your report that we were previously not aware of.
• Provide the steps required to demonstrate an issue. If we cannot reproduce an issue we will not be able to reward it. Submissions that contain steps to reproduce your proof of concept along with a detailed analysis are eligible for quicker awards because they help us quickly assess the risk posed by a vulnerability.
• When reporting vulnerabilities, please consider the attack scenario / exploitability, and the security impact of the bug
• Avoid harm to member data, privacy, and service availability: Since security research may depend on services that our members use and depend on, avoid research that violates member privacy, destroys data, or interrupts service. If you discover confidential member data while researching, stop and contact us immediately so we can work with you to address the issue.
• No employees, contractors or others with current or prior commercial relationships with Phantom are eligible for rewards. This includes auditors used by Phantom.
• Vulnerability reports which do not include careful manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will not be eligible for a reward.

Size

The size of the bounty will vary depending on the severity of the issue discovered. The severity is calculated according to the CVSS (the Common Vulnerability Scoring Standard) and to the estimate Impact and Likelihood.

Decisions on the eligibility and size of a reward are guided by the rules above, but are, in the end, determined at the sole discretion of Phantom. We intend to pay out fairly for reports that have a realistic impact.

Quality

In addition to severity, other variables are also considered when Phantom evaluates the eligibility and size of a bounty, including (but not limited to):

• Quality of description: Higher rewards are paid for clear, well-written submissions.
• Quality of reproducibility: Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
• Quality of fix, if included: Higher rewards are paid for submissions with clear description of how to fix the issue.

Please also

• Give us time to investigate anything you report before sharing it publicly or with others.
• (And hopefully this goes without saying) don’t exploit an issue if you find one.
• Try wherever possible to avoid privacy violations, destruction of data, and interruption or degradation of our service.

Out of Scope Vulnerabilities

The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions
• Server-side Request Forgery (SSRF) without security impact
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device.
• Attacks requiring a compromised victim device.
• Previously known vulnerable libraries without a working Proof of Concept or not fixed by the vendor.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or brute-force issues on non-authentication endpoints
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
• Tabnabbing will be awarded on a case by case basis
• Open redirect - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction

Bug bounty submission process

• Submit your reports via email address [email protected], providing a clear and detailed description of the vulnerability, along with any steps, tools, or code necessary to reproduce the issue.
• Include your contact information, preferred communication channels, and any relevant attachments or evidence to support your findings.
• In cases where the report contains highly sensitive information, we kindly request you to encrypt your findings using PGP (Pretty Good Privacy). Our PGP public key is available here.
• For questions or issues regarding Phantom, visit help.phantom.app.

Other Terms

By submitting your report, you grant Phantom any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.

The terms and conditions may be altered at any time.