Bug Bounty Program
Security at Zora#
At Zora, we prioritize the safety and security for all of our users and community members. We encourage and appreciate any feedback from our community to help us identify and promptly address any potential vulnerabilities in our product.
Report Submission Guidelines#
To submit your report, forward it to security@zora.co and include the following details:
- Provide a clear description of the issue, highlighting its potential impact.
- Specify the location where the vulnerability was identified.
- Outline detailed steps necessary to reproduce the issue.
- Include any proof-of-concept code or supporting materials.
After receiving your report, our security team will confirm and begin investigating the issue. We'll keep you updated along the way and request more details if required. For the same issue, we'll consider only the first report meeting our criteria
Bug Bounty Rewards#
- Reward of up to 25 ETH for any critical bugs that could result in loss of funds.
- Rewards may be awarded for smaller bugs or improvements that are classified as valid. This will depend on the following considerations; the exploit scenario, product found in, likelihood and impact.
Scope#
Assets listed below are considered in-scope and are eligible submissions within the bug bounty program. If you believe you have found a vulnerability in an area not specified in the table, please report it to the team and a member of our security team will investigate it further.
| Asset | Type | Scope | Eligable Reward |
|---|---|---|---|
| zora.co/create zora.co/collect/[chain]:[contract address] | Website and Applications | In scope | Up to 5 ETH |
| api.zora.co | Website and Applications | In scope | Up to 1 ETH |
| zora.energy - https://bridge.zora.energy/ | Website and Applications | In scope | Up to 5 ETH |
| docs.zora.co | Website and Applications | In scope | Up to 2 ETH |
| testnet.zora.co | Website and Applications | In scope | Up to 2 ETH |
| https://github.com/ourzora/zora-protocol | Smart Contract | In scope | Up to 25 ETH |
| https://github.com/ourzora/zora-drops-contracts | Smart Contract | In scope | Up to 25 ETH |
| https://github.com/ourzora/zdk | Smart Contract | In scope | Up to 2 ETH |
Please note: All bounty rewards will be denoted and paid out as USDC. Rewards will require the recipient to have an erc20 wallet address. KYC verification is required and will be specifically requested in cases of valid reports that meet the criteria for a reward payout.
Out of scope vulnerabilities#
- Any activity that could lead to the disruption of our service (DDOS/DOS).
- Vulnerabilities that require physical access to a user's device.
- Attacks requiring leaked keys or credentials.
- Missing or incorrect SPF records of any kind.
- Missing or incorrect DMARC records of any kind.
- Theoretical attacks without proof of exploitability.
Program Rules#
- Social engineering targeted to Zora employees is prohibited.
- Submit one vulnerability per report.
- Vulnerabilities that Zora is aware of will not be rewarded.
- Please provide thorough reports with clear steps that can be replicated. If the report lacks sufficient detail to reproduce the issue, it may not be accepted.
- When duplicates occur, we will only accept to the first report that was received, as long as it fulfills our submission criteria and can be fully reproduced.
Disclosure Policy#
To ensure responsible handling of vulnerability disclosures, it is crucial to keep all discussions of such vulnerabilities (even those that have already been resolved) within the program and not disclose them externally within 90 days of remediation or without Zora's express approval. Failure to comply with the Disclosure Policy will result in forfeiture of any eligible reward. Be confident that you are adhering to this policy and contributing to the safety and integrity of the program.
Updated as of November 2023