Logo Phantom
Download
Logo PhantomLogo Phantom
Download

Bug Bounty

We highly value your participation in our bug bounty program, as it plays a vital role in strengthening our security measures. Your dedication to identifying and addressing potential vulnerabilities in our systems is greatly appreciated.

Outlined below are the scope and guidelines for our bug bounty program, which encompass both our mobile application, browser extension and web services.

Assets

Our assets are split into two categories - Phantom client-side applications, and Phantom infrastructure & services

Applications

Infrastructure & Services

  • *.phantom.app
  • *.phantom.com
  • *.phantom.dev
  • Any asset confirmed to be owned by Phantom

Out-of-Scope

By design our apps interact with numerous third-parties including RPC providers and on-chain smart contracts/programs. Unless explicitly specified in the targets section, these are considered out of scope and testing is not authorized.

Additionally, the following assets are not owned or operated by Phantom and should not be tested:

Vulnerability Types

Generally, if the vulnerability has security or privacy impact to an in-scope Phantom asset we would want to know about it.

Primary Focus

The following types are especially of interest to our security team:

  • Vulnerabilities which have the potential for theft of user funds
  • Vulnerabilities associated with the leakage of sensitive information
  • Access to Phantom build pipelines, processes or environments

Excluded Submission Types

Additionally, the following issues are considered out of scope:

  • Issues that require unlikely user interaction
  • Attacks requiring MITM or physical access to a user's device
  • Attacks requiring a compromised victim device
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Server-side Request Forgery (SSRF) without security impact
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Clickjacking on pages with no sensitive actions
  • Previously known vulnerable libraries without a working Proof of Concept or not fixed by the vendor.
  • Missing best practices in SSL/TLS configuration.
  • Rate limiting or brute-force issues on non-authentication endpoints
  • Missing best practices in Content Security Policy
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Tabnabbing will be awarded on a case by case basis

Rewards

Critical ($12,500 → $20,000)

Examples - Wallet

  • XSS (within Wallet context)
  • Origin Spoofing (affecting transaction simulation)

Examples - Server-Side

  • Remote Code Execution (within Phantom infrastructure)
  • SQLi Injection (with access to PII)

High ($5,000 → $12,500)

Examples - Wallet

  • PII/Sensitive Data Leakage to 3rd Parties

Examples - Server-Side

  • SQL Injection (without access to PII - only public data & no escalation path)

Medium ($1,500 → $5,000)

Examples - Wallet

  • DoS

Examples - Server-Side

  • Reflected XSS
  • Low impact IDORs

Low ($50 → $1,500)

Examples - Wallet

  • UI issues that have security impact, such as mislabeled security or privacy features

Examples - Server-Side

  • Hosting of malicious JS on a non-core sub-domain (e.g. via XSS or a sub-domain takeover)

Exceptional Circumstances

Phantom offers a reward of $50,000 for vulnerabilities that demonstrate either:

  • Remote extraction of a user’s private key with no user interaction, or
  • The ability to inject malicious code into the build process undetected

Note: The final determination of whether a vulnerability meets the exceptional criteria is at the sole discretion of the Phantom security team.

Policies

Rules

  • Decisions on the eligibility and size of a reward are the sole discretion of Phantom. We intend to pay out fairly for reports that have a realistic impact.
  • Any disclosure of a vulnerability to the public or other third parties (such as the media) before Phantom makes it public will result in the submission being ineligible for a reward
  • We are looking for novel vulnerabilities: Your contributions help us address vulnerabilities we did not discover during the development process or do not already know about. If you are the first external researcher to identify a vulnerability we already know about and are working to fix, you may still be eligible for a bounty award if there is new information within your report that we were previously not aware of.
  • Provide the steps required to demonstrate an issue. If we cannot reproduce an issue we will not be able to reward it. Submissions that contain steps to reproduce your proof of concept along with a detailed analysis are eligible for quicker awards because they help us quickly assess the risk posed by a vulnerability.
  • When reporting vulnerabilities, please consider the attack scenario / exploitability, and the security impact of the bug
  • Avoid harm to user data, privacy, and service availability: Since security research may depend on services that our user use and depend on, avoid research that violates user privacy, destroys data, or interrupts service. If you discover confidential user data while researching, stop and contact us immediately so we can work with you to address the issue.
  • No employees, contractors or others with current or prior commercial relationships with Phantom are eligible for rewards. This includes auditors used by Phantom.
  • Vulnerability reports which do not include careful manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will not be eligible for a reward.

Other Terms

By submitting your report, you grant Phantom any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.

The terms and conditions may be altered at any time.

Submission

  • If you believe you've found a valid security vulnerability please request an invitation to our private Bug Bounty program on Bugcrowd by submitting a request for access here
  • For all other questions regarding Phantom, including account security issues, visit help.phantom.app.