Bug Bounty Program
Security at Zora#
At Zora, we prioritize the safety and security for all of our users and community members. We encourage and appreciate any feedback from our community to help us identify and promptly address any potential vulnerabilities in our product.
Report Submission Guidelines#
To submit your report, please send an email to security@zora.co and include the following details:
- Provide a clear description of the issue, highlighting its potential impact.
- Specify the location where the vulnerability was identified.
- Steps to reproduce (Add details for how we can reproduce the issue).
- Include any proof-of-concept code or supporting materials.
Upon receipt of your report, a member of our security team will confirm and begin an investigation into the reported issue. We are committed to providing you with regular updates on the progress of your report. Should further information or clarification be necessary, we will reach out to you.
Bug Bounty Rewards#
- Rewards of up to $40,000 for any critical bugs that could result in loss of funds.
- Rewards may be awarded for smaller bugs or improvements that are classified as valid. This will depend on the following considerations; the exploit scenario, product found in, likelihood and impact.
Scope#
Assets listed below are considered in-scope and are eligible submissions within the bug bounty program. If you believe you have found a vulnerability in an area not specified in the table, please report it to the team and a member of our security team will investigate it further.
| Asset | Type | Scope | Eligible Reward |
|---|---|---|---|
| zora.co/create zora.co/collect/[chain]:[contract address] zora.co/[profile address] | Website and Applications | In scope | Up to $10,000 |
| api.zora.co | Website and Applications | In scope | Up to $2000 |
| zora.energy - https://bridge.zora.energy/ | Website and Applications | In scope | Up to $10,000 |
| docs.zora.co | Website and Applications | In scope | Up to $5000 |
| https://github.com/ourzora/zora-protocol | Smart Contract | In scope | Up to $40,000 |
| https://github.com/ourzora/zora-drops-contracts | Smart Contract | In scope | Up to $40,000 |
Please note: All bounty rewards will be denoted as USD and will be paid out as USDC. Rewards will require the recipient to have an erc20 wallet address. KYC verification is required and will be specifically requested in cases of valid reports that meet the criteria for a reward payout.
Out of scope vulnerabilities#
- Any activity that could lead to the disruption of our service (DDOS/DOS).
- Vulnerabilities that require physical access to a user's device.
- Clickjacking on pages with no sensitive actions.
- Attacks requiring leaked keys or credentials.
- Self-XSS reports will not be accepted.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Missing or incorrect SPF and/or DMARC records of any kind.
- Theoretical attacks without proof of exploitability.
Program Rules#
- Social engineering targeted to Zora employees is prohibited.
- Publishing sensitive information discovered during security testing is prohibited.
- Only submit one vulnerability per report.
- Vulnerabilities that Zora is aware of will not be rewarded.
- Please provide thorough reports with clear steps that can be replicated. If the report lacks sufficient detail to reproduce the issue, it may not be accepted.
- When duplicates occur, we will only accept the first report that was received, as long as it fulfills our submission criteria and can be fully reproduced.
Disclosure Policy#
To ensure responsible handling of vulnerability disclosures, it is crucial to keep all discussions of such vulnerabilities (even those that have already been resolved) within the program and not disclose them externally within 90 days of remediation or without Zora's express approval. Failure to comply with the Disclosure Policy will result in forfeiture of any eligible reward. Be confident that you are adhering to this policy and contributing to the safety and integrity of the program.
Updated as of February 2024