From f81a142fda04f5c77182ad5ff22544edc1a31f4a Mon Sep 17 00:00:00 2001 From: Iain Nash Date: Fri, 18 Oct 2024 18:21:27 -0400 Subject: [PATCH] Update bug bounty docs (#790) * Update bug bounty docs [draft] * update bug bounty targets * updates to scope * Update bug-bounty-program.mdx removed bridge --------- Co-authored-by: gillo <86749935+gilllo@users.noreply.github.com> --- docs/pages/bug-bounty/bug-bounty-program.mdx | 35 +++++++++----------- 1 file changed, 16 insertions(+), 19 deletions(-) diff --git a/docs/pages/bug-bounty/bug-bounty-program.mdx b/docs/pages/bug-bounty/bug-bounty-program.mdx index 2a8e393e..aa19d74c 100644 --- a/docs/pages/bug-bounty/bug-bounty-program.mdx +++ b/docs/pages/bug-bounty/bug-bounty-program.mdx @@ -1,14 +1,15 @@ -# Bug Bounty Program -*Updated June 2024* +# Bug Bounty Program -### Security at Zora +_Updated September 2024_ -At Zora, we prioritize the safety and security for all of our users and community members. We encourage and value any feedback from our community to help us identify and promptly address any potential vulnerabilities in our product. +### Security at Zora +At Zora, we prioritize the safety and security for all of our users and community members. We encourage and value any feedback from our community to help us identify and promptly address any potential vulnerabilities in our product. ### Report Submission Guidelines To submit your report, send an email to [security@zora.co](mailto:security@zora.co) and include the following details: + - **Issue Description**: Provide a detailed description of the issue, outlining its potential impact. - **Location**: Specify the location where the vulnerability was identified. - **Steps to Reproduce**: Outline detailed steps to reproduce the issue. @@ -21,24 +22,21 @@ Upon receiving your report, a member of our security team will promptly confirm - Rewards of up to $40,000 for any **critical** bugs that could result in loss of funds. - Rewards may also be awarded for smaller bugs or improvements deemed valid. Considerations include the exploit scenario, product affected, likelihood, and impact. - ### Scope -The assets listed below are considered in-scope within our bug bounty program. If you discover a vulnerability outside these specified areas, please report it to our team for further investigation. - -| Asset | Type | Scope | Eligible Reward | -|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------|----------|-----------------| -| [zora.co/create](https://zora.co/create)
zora.co/collect/[chain]:[contract address]
zora.co/[profile address] | Website and Applications | In scope | Up to $10,000 | -| [api.zora.co](https://api.zora.co) | Website and Applications | In scope | Up to $2000 | -| zora.energy
- https://bridge.zora.energy/ | Website and Applications | In scope | Up to $10,000 | -| [docs.zora.co](https://docs.zora.co) | Website and Applications | In scope | Up to $5000 | -| https://github.com/ourzora/zora-protocol | Smart Contract | In scope | Up to $40,000 | -| https://github.com/ourzora/zora-drops-contracts | Smart Contract | In scope | Up to $40,000 | +The assets listed below are considered in-scope within our bug bounty program. If you discover a vulnerability outside these specified areas, please report it to our team for further investigation. -*Please note: All bounty rewards will be denoted as USD and will be paid out as USDC. Rewards will require the recipient to have an erc20 wallet address. KYC verification is required and will be specifically requested in cases of valid reports that meet the criteria for a reward payout.* +| Asset | Type | Scope | Eligible Reward | +| -------------------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------ | --------------- | +| [zora.co/create](https://zora.co/create)
zora.co/collect/[chain]:[contract address]
zora.co/[profile address] | Website and Applications | In scope | Up to $10,000 | +| [api.zora.co](https://api.zora.co) | Website and Applications | In scope | Up to $2,000 | +| [docs.zora.co](https://docs.zora.co) | Website and Applications | In scope | Up to $5000 | +| https://github.com/ourzora/zora-protocol | Smart Contracts | In scope | Up to $40,000 | +| https://github.com/ourzora/zora-drops-contracts | Smart Contracts | Out of scope | Deprecated | +_Please note: All bounty rewards will be denoted as USD and will be paid out as USDC. Rewards will require the recipient to have an erc20 wallet address. KYC verification is required and will be specifically requested in cases of valid reports that meet the criteria for a reward payout._ -### Out of scope vulnerabilities +### Out of scope vulnerabilities - Any activity that could lead to the disruption of our service (DDOS/DOS). - Theoretical impacts without proof or demonstration. @@ -61,7 +59,6 @@ The assets listed below are considered in-scope within our bug bounty program. I - Vulnerabilities that Zora is aware of will not be rewarded. - Please provide thorough reports with clear steps that can be replicated. If your report lacks sufficient detail to reproduce the issue, it will not be accepted. - ### Disclosure Policy -For responsible management of vulnerability disclosures, keep all discussions related to these vulnerabilities, including resolved ones, strictly within the program. Additionally, do not disclose them externally within 90 days of remediation or without Zora's explicit consent. Failure to comply with the Disclosure Policy may result in the loss of any potential reward. Your adherence to this policy greatly enhances the program's safety and integrity. \ No newline at end of file +For responsible management of vulnerability disclosures, keep all discussions related to these vulnerabilities, including resolved ones, strictly within the program. Additionally, do not disclose them externally within 90 days of remediation or without Zora's explicit consent. Failure to comply with the Disclosure Policy may result in the loss of any potential reward. Your adherence to this policy greatly enhances the program's safety and integrity.