The Root token contract is considered in-scope of the Beanstalk Immunefi Bug Bounty Program. The maximum bounty is 1,100,000 Beans.
You can find the bug bounty program and submit bug reports here.
In order to be considered for the maximum potential reward, bug reports must come with (1) a Proof of Concept (PoC), and (2) code implementing the fix.
Bug reports that do not come with a PoC and code implementing a fix may qualify for a maximum of up to 30% of the potential reward outlined below, as determined by the Beanstalk Immunefi Committee (BIC). You can read more about the BIC here:
All vulnerabilities noted in any Halborn audit reports or the Trail of Bits audit report (or otherwise known by the BIC or Beanstalk Community Multisig) are not eligible for a reward.