# Responsible Disclosure Our preferred reporting procedure is as follows:\ **For vulnerabilities in public-access code, such as the Zen Protocol node:** * Visit our Gitlab at , and open the appropriate project. (For bugs in ZFStar or the SDK, you'll have to visit our Github at .)
* Open a confidential issue. **Do not** leave any information in the issue which could reveal the exploit.
* We'll confirm our receipt of the issue, and that it is tagged as confidential.
* Edit the issue to leave details of the vulnerability.
**For vulnerabilities in our website or other non-public code/services:** * Email with notification of a vulnerability, including in what service it is present. * We'll confirm receipt. * Reply to your Zen Protocol contact with details of the vulnerability. \ Our programme awards between $300 and $50,000+, at our sole discretion, for the responsible disclosure of security vulnerabilities. Participation in the paid bounty programme is not mandatory to receive credit for responsible disclosure. The terms for participation are:\ **For credit as a security researcher** * Agreement to 30-day embargo. You should not disclose any details of the vulnerability within this period. * Co-ordinated disclosure within the embargo period. We will inform you in advance of when we intend to publicize the vulnerability, and we will give you the opportunity to write your own report, to be issued simultaneously. We would be happy to link to your own report. * Full disclosure. You should inform us, to the best of your knowledge, of all details of the vulnerability. Should you discover additional information about or relating to the vulnerability, you should inform us as soon as possible. **For eligibility to receive a bounty** * **All the above terms**, as well as: * Extension to 60-day embargo. We may request to extend the embargo to 60 days. * Identification. We may require you identify yourself to us. We promise to keep this information confidential. * Award at our discretion. We will evaluate the severity of the vulnerability and determine what bounty should be awarded. You agree that the evaluation and award are made at our sole discretion. Additionally, if you wish to be eligible to receive a bounty, you should inform us at the start of the disclosure process.
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.zenprotocol.com/troubleshooting-1/responsible-disclosure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.