-
Notifications
You must be signed in to change notification settings - Fork 79
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Update bug bounty docs [draft] * update bug bounty targets * updates to scope * Update bug-bounty-program.mdx removed bridge --------- Co-authored-by: gillo <[email protected]>
- Loading branch information
Showing
1 changed file
with
16 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,15 @@ | ||
# Bug Bounty Program | ||
*Updated June 2024* | ||
# Bug Bounty Program | ||
|
||
### Security at Zora | ||
_Updated September 2024_ | ||
|
||
At Zora, we prioritize the safety and security for all of our users and community members. We encourage and value any feedback from our community to help us identify and promptly address any potential vulnerabilities in our product. | ||
### Security at Zora | ||
|
||
At Zora, we prioritize the safety and security for all of our users and community members. We encourage and value any feedback from our community to help us identify and promptly address any potential vulnerabilities in our product. | ||
|
||
### Report Submission Guidelines | ||
|
||
To submit your report, send an email to [[email protected]](mailto:[email protected]) and include the following details: | ||
|
||
- **Issue Description**: Provide a detailed description of the issue, outlining its potential impact. | ||
- **Location**: Specify the location where the vulnerability was identified. | ||
- **Steps to Reproduce**: Outline detailed steps to reproduce the issue. | ||
|
@@ -21,24 +22,21 @@ Upon receiving your report, a member of our security team will promptly confirm | |
- Rewards of up to $40,000 for any **critical** bugs that could result in loss of funds. | ||
- Rewards may also be awarded for smaller bugs or improvements deemed valid. Considerations include the exploit scenario, product affected, likelihood, and impact. | ||
|
||
|
||
### Scope | ||
|
||
The assets listed below are considered in-scope within our bug bounty program. If you discover a vulnerability outside these specified areas, please report it to our team for further investigation. | ||
|
||
| Asset | Type | Scope | Eligible Reward | | ||
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------|----------|-----------------| | ||
| [zora.co/create](https://zora.co/create) <br /> zora.co/collect/[chain]:[contract address]<br /> zora.co/[profile address] | Website and Applications | In scope | Up to $10,000 | | ||
| [api.zora.co](https://api.zora.co) | Website and Applications | In scope | Up to $2000 | | ||
| zora.energy<br />- https://bridge.zora.energy/ | Website and Applications | In scope | Up to $10,000 | | ||
| [docs.zora.co](https://docs.zora.co) | Website and Applications | In scope | Up to $5000 | | ||
| https://github.com/ourzora/zora-protocol | Smart Contract | In scope | Up to $40,000 | | ||
| https://github.com/ourzora/zora-drops-contracts | Smart Contract | In scope | Up to $40,000 | | ||
The assets listed below are considered in-scope within our bug bounty program. If you discover a vulnerability outside these specified areas, please report it to our team for further investigation. | ||
|
||
*Please note: All bounty rewards will be denoted as USD and will be paid out as USDC. Rewards will require the recipient to have an erc20 wallet address. KYC verification is required and will be specifically requested in cases of valid reports that meet the criteria for a reward payout.* | ||
| Asset | Type | Scope | Eligible Reward | | ||
| -------------------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------ | --------------- | | ||
| [zora.co/create](https://zora.co/create) <br /> zora.co/collect/[chain]:[contract address]<br /> zora.co/[profile address] | Website and Applications | In scope | Up to $10,000 | | ||
| [api.zora.co](https://api.zora.co) | Website and Applications | In scope | Up to $2,000 | | ||
| [docs.zora.co](https://docs.zora.co) | Website and Applications | In scope | Up to $5000 | | ||
| https://github.com/ourzora/zora-protocol | Smart Contracts | In scope | Up to $40,000 | | ||
| https://github.com/ourzora/zora-drops-contracts | Smart Contracts | Out of scope | Deprecated | | ||
|
||
_Please note: All bounty rewards will be denoted as USD and will be paid out as USDC. Rewards will require the recipient to have an erc20 wallet address. KYC verification is required and will be specifically requested in cases of valid reports that meet the criteria for a reward payout._ | ||
|
||
### Out of scope vulnerabilities | ||
### Out of scope vulnerabilities | ||
|
||
- Any activity that could lead to the disruption of our service (DDOS/DOS). | ||
- Theoretical impacts without proof or demonstration. | ||
|
@@ -61,7 +59,6 @@ The assets listed below are considered in-scope within our bug bounty program. I | |
- Vulnerabilities that Zora is aware of will not be rewarded. | ||
- Please provide thorough reports with clear steps that can be replicated. If your report lacks sufficient detail to reproduce the issue, it will not be accepted. | ||
|
||
|
||
### Disclosure Policy | ||
|
||
For responsible management of vulnerability disclosures, keep all discussions related to these vulnerabilities, including resolved ones, strictly within the program. Additionally, do not disclose them externally within 90 days of remediation or without Zora's explicit consent. Failure to comply with the Disclosure Policy may result in the loss of any potential reward. Your adherence to this policy greatly enhances the program's safety and integrity. | ||
For responsible management of vulnerability disclosures, keep all discussions related to these vulnerabilities, including resolved ones, strictly within the program. Additionally, do not disclose them externally within 90 days of remediation or without Zora's explicit consent. Failure to comply with the Disclosure Policy may result in the loss of any potential reward. Your adherence to this policy greatly enhances the program's safety and integrity. |