Bug Bounty Program
At Zora, we prioritize the safety and security for all of our users and community members. We encourage and appreciate any feedback from our community to help us identify and promptly address any potential vulnerabilities in our product.
How to Submit#
Please send an email to security@zora.co with the following information:
- A clear description of the issue and its potential impact.
- The area where the vulnerability was found.
- Detailed steps that are required to reproduce the issue.
- Any proof-of-concept code or other supporting material.
Once we receive your report, a member of our security team will email you to confirm the report has been received and we'll begin investigating the issue. We'll update you on the progress and may ask for more details if necessary. If we receive multiple reports of the same issue, we will only consider the first report that we receive for acceptance (given the first report satisfies the requirements of an accepted submission).
Bug Bounty Rewards#
- Reward of up to 25 ETH for any critical bugs that could result in loss of funds.
- Rewards will be awarded for smaller bugs or improvements that are classified as valid. This tier of reward will depend on the following considerations; the product found in, impact and severity.
Scope#
Assets listed below are considered in-scope and are eligible submissions within the bug bounty program. If you believe you have found a vulnerability in an area not specified in the table, please report it to the team and a member of our security team will investigate it further.
| Asset | Type | Scope | Eligable Reward* |
|---|---|---|---|
| zora.co - zora.co/create/single-edition - zora.co/create/edition - zora.co/create/drop - zora.co/collect/zora:[contract address] - zora.co/collect/eth:[contract address] | Website and Applications | In scope | Up to 5 ETH |
| api.zora.co | Website and Applications | In scope | Up to 1 ETH |
| zora.energy - https://bridge.zora.energy/ | Website and Applications | In scope | Up to 5 ETH |
| docs.zora.co | Website and Applications | In scope | Up to 2 ETH |
| testnet.zora.co | Website and Applications | In scope | Up to 2 ETH |
| https://github.com/ourzora/zora-drops-contracts | Smart Contract | In scope | Up to 25 ETH |
| https://github.com/ourzora/zora-1155-contracts | Smart Contract | In scope | Up to 25 ETH |
| https://github.com/ourzora/protocol-rewards | Smart Contract | In scope | Up to 25 ETH |
| https://github.com/ourzora/zdk | Smart Contract | In scope | Up to 3 ETH |
Please note: All bounty rewards will be denoted and paid out as USDC. Rewards will require the recipient to have an erc20 wallet address.
Out of Scope Vulnerabilities#
- Any activity that could lead to the disruption of our service (DDOS/DOS).
- Vulnerabilities that require physical access to a user's device
- Attacks requiring leaked keys or credentials
- Site or domain configuration
- Theoretical attacks without proof of exploitability
Program Rules#
- Social engineering targeted to Zora employees is prohibited
- Submit one vulnerability per report.
- Please provide thorough reports with clear steps that can be replicated. If the report lacks sufficient detail to reproduce the issue, it may not be accepted.
- When duplicates occur, we will only accept to the first report that was received, as long as it can be fully reproduced.
Disclosure Policy#
To ensure responsible handling of vulnerability disclosures, it is crucial to keep all discussions of such vulnerabilities (even those that have already been resolved) within the program and not disclose them externally within 90 days of remediation or without Zora's express approval. Failure to comply with the Disclosure Policy will result in forfeiture of any eligible reward. Be confident that you are adhering to this policy and contributing to the safety and integrity of the program
Program updated as of September 2023