Phantom
Phantom is your go-to crypto app. Buy cryptocurrency. Trade memecoins. Store assets. Grow your portfolio. Available on Solana, Ethereum, Bitcoin, Base & Sui.
External Program
Submit bugs directly to this organization
Phantom
Phantom is your go-to crypto app. Buy cryptocurrency. Trade memecoins. Store assets. Grow your portfolio. Available on Solana, Ethereum, Bitcoin, Base & Sui.
External Program
Submit bugs directly to this organization
We highly value your participation in our bug bounty program, as it plays a vital role in strengthening our security measures. Your dedication to identifying and addressing potential vulnerabilities in our systems is greatly appreciated.
To demonstrate our commitment, we offer a variable pay scale that starts from $50,000 USD for vulnerabilities that directly lead to loss of secret phrase. This serves as an incentive for your valuable contributions and the critical role you play in safeguarding our users' assets.
Outlined below are the scope and guidelines for our bug bounty program, which encompass both our mobile application, browser extension and web services.
The bug bounty is designed to address security concerns in two primary categories:
Therefore, the scope is limited to all web services, APIs, mobile application, and browser extension under the domain:
Decisions on the eligibility and size of a reward are the sole discretion of Phantom.
Any disclosure of a vulnerability to the public or other third parties (such as the media) before Phantom makes it public will disqualify the bounty. Issues must be privately submitted.
We are looking for novel vulnerabilities: Your contributions help us address vulnerabilities we did not discover during the development process or do not already know about. If you are the first external researcher to identify a vulnerability we already know about and are working to fix, you may still be eligible for a bounty award if there is new information within your report that we were previously not aware of.
Provide the steps required to demonstrate an issue. If we cannot reproduce an issue we will not be able to reward it. Submissions that contain steps to reproduce your proof of concept along with a detailed analysis are eligible for quicker awards because they help us quickly assess the risk posed by a vulnerability.
When reporting vulnerabilities, please consider the attack scenario / exploitability, and the security impact of the bug.
Avoid harm to member data, privacy, and service availability: Since security research may depend on services that our members use and depend on, avoid research that violates member privacy, destroys data, or interrupts service. If you discover confidential member data while researching, stop and contact us immediately so we can work with you to address the issue.
No employees, contractors or others with current or prior commercial relationships with Phantom are eligible for rewards. This includes auditors used by Phantom.
Vulnerability reports which do not include careful manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will not be eligible for a reward.
The size of the bounty will vary depending on the severity of the issue discovered. The severity is calculated according to the CVSS and to the estimate Impact and Likelihood.
Decisions on the eligibility and size of a reward are guided by the rules above, but are, in the end, determined at the sole discretion of Phantom. We intend to pay out fairly for reports that have a realistic impact.
In addition to severity, other variables are also considered when Phantom evaluates the eligibility and size of a bounty, including (but not limited to):
The following issues are considered out of scope:
Submit your reports via email, providing a clear and detailed description of the vulnerability, along with any steps, tools, or code necessary to reproduce the issue.
Include your contact information, preferred communication channels, and any relevant attachments or evidence to support your findings.
In cases where the report contains highly sensitive information, we kindly request you to encrypt your findings using PGP (Pretty Good Privacy). Our PGP public key is available upon request.
For questions or issues regarding Phantom, visit our support portal.
By submitting your report, you grant Phantom any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.
The terms and conditions may be altered at any time.