Skip to content
Bug Bounty Program

Bug Bounty Program

Updated June 2024

Security at Zora

At Zora, we prioritize the safety and security for all of our users and community members. We encourage and value any feedback from our community to help us identify and promptly address any potential vulnerabilities in our product.

Report Submission Guidelines

To submit your report, send an email to and include the following details:

  • Issue Description: Provide a detailed description of the issue, outlining its potential impact.
  • Location: Specify the location where the vulnerability was identified.
  • Steps to Reproduce: Outline detailed steps to reproduce the issue.
  • Proof of Concept: Include proof-of-concept code, screenshots, videos, logs, etc. demonstrating the vulnerability.

Upon receiving your report, a member of our security team will promptly confirm receipt and initiate an investigation into the reported issue. We are committed to keeping you informed with regular updates on the progress of the investigation. If we require additional information or clarification, we will reach out to you directly.

Bug Bounty Rewards

  • Rewards of up to $40,000 for any critical bugs that could result in loss of funds.
  • Rewards may also be awarded for smaller bugs or improvements deemed valid. Considerations include the exploit scenario, product affected, likelihood, and impact.


The assets listed below are considered in-scope within our bug bounty program. If you discover a vulnerability outside these specified areas, please report it to our team for further investigation.

AssetTypeScopeEligible Reward[chain]:[contract address][profile address]
Website and ApplicationsIn scopeUp to $10,000
api.zora.coWebsite and ApplicationsIn scopeUp to $2000
Website and ApplicationsIn scopeUp to $10,000
docs.zora.coWebsite and ApplicationsIn scopeUp to $5000 ContractIn scopeUp to $40,000 ContractIn scopeUp to $40,000

Please note: All bounty rewards will be denoted as USD and will be paid out as USDC. Rewards will require the recipient to have an erc20 wallet address. KYC verification is required and will be specifically requested in cases of valid reports that meet the criteria for a reward payout.

Out of scope vulnerabilities

  • Any activity that could lead to the disruption of our service (DDOS/DOS).
  • Theoretical impacts without proof or demonstration.
  • Vulnerabilities that require physical access to a user's device.
  • Clickjacking on pages with no sensitive actions.
  • Attacks requiring leaked keys or credentials.
  • Self-XSS.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • SPF/DMARC misconfigured records.
  • Lack of DNSSEC or CAA records.
  • Automated scanner reports without demonstrated impact.
  • Issues that are not reproducible or do not present a clear security risk.

Program Rules

  • Only submit one vulnerability per report.
  • When duplicates occur, we will only accept the first report that was received, as long as it fulfils our submission criteria and can be fully reproduced.
  • Social engineering targeted to Zora employees is prohibited.
  • Publishing sensitive information discovered during security testing is prohibited.
  • Vulnerabilities that Zora is aware of will not be rewarded.
  • Please provide thorough reports with clear steps that can be replicated. If your report lacks sufficient detail to reproduce the issue, it will not be accepted.

Disclosure Policy

For responsible management of vulnerability disclosures, keep all discussions related to these vulnerabilities, including resolved ones, strictly within the program. Additionally, do not disclose them externally within 90 days of remediation or without Zora's explicit consent. Failure to comply with the Disclosure Policy may result in the loss of any potential reward. Your adherence to this policy greatly enhances the program's safety and integrity.