SECURITY.md

Phoenix Bug Bounty Program

Bug Bounty Overview

This bug bounty program is specifically for Phoenix’s smart contract code and Sokoban’s red-black tree implementation. All relevant code is open source.

Our bug bounty security guidelines are based on Immunefi’s vulnerability severity classification system, and are subject to change at any time.

The bug bounty program is administered by Ellipsis Labs and OtterSec. All bug bounty decisions made are final.

Security Classifications and Bounty Amounts

Severity	Description	Bounty
Critical	Direct theft of funds Permanent freezing of funds Vulnerabilities that lead to protocol insolvency	Up to $200,000
High	Temporary freezing of user funds	Up to $25,000
Medium	Slow-drip drainage of funds that’s profitable to the attacker Orders getting filled at a worse price than specified Theft of rent Loss of data Unintended reuse of sequence numbers	Up to $10,000
Low	Griefing (no profit for the attacker, but damage to the protocol or its users) Temporary denial of service	Up to $5,000

Bugs in phoenix-sdk and other code outside of the smart contract will be assessed on a case-by-case basis.

Report Submission

Please email [email protected] with a detailed description of the attack vector. For high- and critical-severity reports, please include a proof of concept on a deployed fork of the relevant programs. We will reach back out within 24 hours with additional questions or next steps on the bug bounty.

Scope

The following components are explicitly out of scope for the bounty program.

• Vulnerabilities that the reporter has already exploited themselves, leading to damage
• Any UI bugs
• Bugs in the core Solana runtime (please submit these to Solana’s bug bounty program)
• Bugs in the Sokoban library that do not affect the red-black tree
• Vulnerabilities that require a validator to execute them
• Vulnerabilities requiring access to privileged keys/credentials
• MEV vectors the team is already aware of