The Root token contract is considered in-scope of the Beanstalk Immunefi Bug Bounty Program. The maximum bounty is 1,100,000 Beans.
In order to be considered for the maximum potential reward, bug reports must come with (1) a Proof of Concept (PoC), and (2) code implementing the fix.
Bug reports that do not come with a PoC and code implementing a fix may qualify for a maximum of up to 30% of the potential reward outlined below, as determined by the Beanstalk Immunefi Committee (BIC). You can read more about the BIC here:
All vulnerabilities noted in any audit report in the Beanstalk Audits repository (or otherwise known by the BIC, Beanstalk Community Multisig, or Root DAO Multisig) are not eligible for a reward.