Bug Bounty

The Root token contract is considered in-scope of the Beanstalk Immunefi Bug Bounty Program. The maximum bounty is 1,100,000 Beans.
You can find the bug bounty program and submit bug reports here.
In order to be considered for the maximum potential reward, bug reports must come with (1) a Proof of Concept (PoC), and (2) code implementing the fix.
Bug reports that do not come with a PoC and code implementing a fix may qualify for a maximum of up to 30% of the potential reward outlined below, as determined by the Beanstalk Immunefi Committee (BIC). You can read more about the BIC here:
All vulnerabilities noted in any audit report in the Beanstalk Audits repository (or otherwise known by the BIC, Beanstalk Community Multisig, or Root DAO Multisig) are not eligible for a reward.