Bug Bounty Program
Updated August 2025
Security at Zora
At Zora, we prioritize the safety and security for all of our users and community members. We encourage and value any feedback from our community to help us identify and promptly address any potential vulnerabilities in our product.
Report Submission Guidelines
To submit your report, please email security@zora.co and include the following information:
- Issue Description: A clear explanation of the vulnerability and its potential impact.
- Location: The exact location or component where the issue was found.
- Steps to Reproduce: Include detailed steps to reproduce the issue.
- Proof of Concept: Include proof-of-concept code, screenshots, videos, logs, etc. demonstrating the vulnerability.
Upon receiving your report, a member of our security team will confirm receipt and initiate an investigation into the reported issue. We are committed to keeping you informed with the progress of the investigation. If we require additional information or clarification, we will reach out to you directly.
Bug Bounty Rewards
- Critical vulnerabilities that could lead to loss of funds may earn up to $40,000.
Rewards are paid in USDC (USD-denominated) and require:
- An ERC20 compatible wallet address.
- KYC verification in cases where a reward is issued.
Scope
The assets listed below are considered in-scope within our bug bounty program. If you discover a vulnerability outside these specified areas, please report it to our team for further investigation.
| Asset | Type | Scope | Eligible Reward |
|---|---|---|---|
| zora.co/create zora.co/coin/base:[contract address] zora.co/[profile address] | Website and Applications | In scope | Up to $10,000 |
| api.zora.co | Website and Applications | In scope | Up to $2,000 |
| docs.zora.co | Website and Applications | In scope | Up to $5,000 |
| zora protocol | Smart Contracts | In scope | Up to $40,000 |
| Zora iOS App | Mobile Applications | In scope | Up to $5,000 |
| Zora Android App | Mobile Applications | In scope | Up to $5,000 |
Out of scope vulnerabilities
The following issues are not eligible for rewards:
- Denial-of-Service (DoS/DDoS) or any activity that disrupts service availability.
- Vulnerabilities requiring physical access to a user’s device.
- Theoretical or speculative issues without proof-of-concept.
- Clickjacking on non-sensitive pages.
- Attacks requiring leaked keys or compromised credentials.
- Self-XSS issues.
- Missing cookie flags on non-sensitive cookies.
- Misconfigured or lack of SPF/DMARC/DNSSEC/CAA records without demonstrated impact.
- Automated scanner output without demonstrated impact.
- Issues that cannot be reliably reproduced or that present negligible security risk.
- Best practice recommendations.
Program Rules
- Submit one vulnerability per report.
- When duplicates occur, we will only accept the first report that was received, as long as it fulfills our submission criteria and can be fully reproduced.
- Social engineering attacks targeting Zora staff are strictly prohibited.
- Publishing sensitive information discovered during security testing is prohibited.
- Vulnerabilities already known to Zora are ineligible for rewards.
- Please provide thorough reports with clear steps that can be replicated. If your report lacks sufficient detail to reproduce the issue, it will not be accepted.
Disclosure Policy
For responsible management of vulnerability disclosures, keep all discussions related to these vulnerabilities, including resolved ones, strictly within the program. Additionally, do not disclose them externally within 90 days of remediation or without Zora's explicit consent. Failure to comply with the Disclosure Policy may result in the loss of any potential reward. Your adherence to this policy greatly enhances the program's safety and integrity.