This bug bounty program is specifically for Phoenix’s smart contract code and Sokoban’s red-black tree implementation. All relevant code is open source.
Our bug bounty security guidelines are based on Immunefi’s vulnerability severity classification system, and are subject to change at any time.
The bug bounty program is administered by Ellipsis Labs and OtterSec. All bug bounty decisions made are final.
| Severity | Description | Bounty |
|---|---|---|
| Critical |
|
Up to $200,000 |
| High |
|
Up to $25,000 |
| Medium |
|
Up to $10,000 |
| Low |
|
Up to $5,000 |
Bugs in phoenix-sdk and other code outside of the smart contract will be assessed on a case-by-case basis.
Please email maintainers@ellipsislabs.xyz with a detailed description of the attack vector. For high- and critical-severity reports, please include a proof of concept on a deployed fork of the relevant programs. We will reach back out within 24 hours with additional questions or next steps on the bug bounty.
The following components are explicitly out of scope for the bounty program.
- Vulnerabilities that the reporter has already exploited themselves, leading to damage
- Any UI bugs
- Bugs in the core Solana runtime (please submit these to Solana’s bug bounty program)
- Bugs in the Sokoban library that do not affect the red-black tree
- Vulnerabilities that require a validator to execute them
- Vulnerabilities requiring access to privileged keys/credentials
- MEV vectors the team is already aware of