Our preferred reporting procedure is as follows: For vulnerabilities in public-access code, such as the Zen Protocol node:
Open a confidential issue. Do not leave any information in the issue which could reveal the exploit.
We'll confirm our receipt of the issue, and that it is tagged as confidential.
Edit the issue to leave details of the vulnerability.
For vulnerabilities in our website or other non-public code/services:
Email email@example.com with notification of a vulnerability, including in what service it is present.
We'll confirm receipt.
Reply to your Zen Protocol contact with details of the vulnerability.
Our programme awards between $300 and $50,000+, at our sole discretion, for the responsible disclosure of security vulnerabilities. Participation in the paid bounty programme is not mandatory to receive credit for responsible disclosure. The terms for participation are: For credit as a security researcher
Agreement to 30-day embargo. You should not disclose any details of the vulnerability within this period.
Co-ordinated disclosure within the embargo period. We will inform you in advance of when we intend to publicize the vulnerability, and we will give you the opportunity to write your own report, to be issued simultaneously. We would be happy to link to your own report.
Full disclosure. You should inform us, to the best of your knowledge, of all details of the vulnerability. Should you discover additional information about or relating to the vulnerability, you should inform us as soon as possible.
For eligibility to receive a bounty
All the above terms, as well as:
Extension to 60-day embargo. We may request to extend the embargo to 60 days.
Identification. We may require you identify yourself to us. We promise to keep this information confidential.
Award at our discretion. We will evaluate the severity of the vulnerability and determine what bounty should be awarded. You agree that the evaluation and award are made at our sole discretion.
Additionally, if you wish to be eligible to receive a bounty, you should inform us at the start of the disclosure process.