This bug bounty program is specifically for Plasma’s smart contract code. All relevant code is publicly available.
Our bug bounty security guidelines are based on Immunefi’s vulnerability severity classification system, and are subject to change at any time.
The bug bounty program is administered by Ellipsis Labs. All bug bounty decisions made are final.
| Severity | Description | Bounty |
|---|---|---|
| Critical |
|
Up to $200,000 |
| High |
|
Up to $25,000 |
| Medium |
|
Up to $10,000 |
| Low |
|
Up to $5,000 |
Bugs in plasma-sdk and other code outside of the smart contract will be assessed on a case-by-case basis.
Please email [email protected] with a detailed description of the attack vector. For high- and critical-severity reports, please include a proof of concept on a deployed fork of the relevant programs. We will reach back out within 24 hours with additional questions or next steps on the bug bounty.
The following components are explicitly out of scope for the bounty program.
- Vulnerabilities that the reporter has already exploited themselves, leading to damage
- Any UI bugs
- Bugs in the core Solana runtime (please submit these to Solana’s bug bounty program)
- Vulnerabilities that require a validator to execute them
- Vulnerabilities requiring access to privileged keys/credentials
- MEV vectors the team is already aware of