zkMe Bug Bounty Program

Introduction

zkMe is dedicated to ensuring the highest levels of security for its smart contracts and applications. As part of this commitment, we have established a comprehensive bug bounty program to identify and address potential vulnerabilities. By incentivizing the discovery and responsible disclosure of security issues, we aim to fortify our systems and protect our users from incidents that could lead to financial losses, service disruptions, governance compromises, or breaches of data integrity and privacy.

Reward Tiers and Threat Level Classification

To effectively prioritize and address potential vulnerabilities, we have implemented a four-tier threat level system for both websites/apps and smart contracts/blockchains. This system evaluates the severity of threats based on factors such as the potential impact of exploitation, the level of access required, and the feasibility of a successful exploit.All submissions related to web and app vulnerabilities must include a detailed Proof of Concept (PoC). Submissions without a PoC will be returned to the submitter with a request for the necessary evidence.

Smart Contracts and Applications Rewards Breakdown

  • Critical:

    • Non-user fund loss: Rewards range from 5,000 USD to 10,000 USD, calculated at 1% of the assets at risk.

  • High:

    • Rewards range from 2,000 USD to 5,000 USD, calculated at 1% of the assets at risk, if the issue remains unresolved for 1 month.

  • Medium:

    • Rewards range from 500 USD to 2,000 USD, calculated at 1% of the assets at risk, if the issue remains unresolved for 1 month.

  • Low:

    • A standard reward of 500 USD is offered for low-severity vulnerabilities.

Payouts are processed directly by the zkMe team and are denominated in USD. Bug bounty participants have the option to receive payouts in USDC or USDT, providing flexibility and accommodating individual preferences.

Scope and Rules

To maintain the integrity and effectiveness of the bug bounty program, certain vulnerabilities and activities are considered out of scope for rewards. These include:

  • Previously exploited attacks that have caused damage

  • Attacks requiring leaked keys/credentials or privileged addresses

  • Incorrect data from third-party oracles (excluding oracle manipulation/flash loan attacks)

  • Basic economic governance attacks, such as 51% attacks

  • Liquidity issues, critiques on best practices, and Sybil attacks

For websites and applications, vulnerabilities that are deemed out of scope include theoretical risks without PoC, content spoofing, self-XSS, and other low-impact findings. Additionally, vulnerabilities that require privileged organizational access or are classified as feature requests or best practices critiques are not eligible for rewards.To ensure the safety and fairness of the bug bounty program, participants must adhere to the following rules:

  • All testing must be conducted on private testnets; testing on mainnet or public testnets is strictly prohibited.

  • Interactions with pricing oracles or third-party smart contracts are not allowed.

  • Phishing or social engineering attacks are strictly forbidden.

  • Testing with third-party systems and applications is not permitted.

  • Initiating denial of service attacks is prohibited.

  • Automated testing that generates significant traffic is not allowed.

  • Public disclosure of unpatched vulnerabilities under an embargoed bounty is strictly prohibited.

Note: Our Bug Bounty program does not cover issues related to DOS (Denial of Service) or traffic-related attacks. These types of attacks are typically related to service performance rather than direct security vulnerabilities and are therefore excluded from the scope of this program.

How to Report a Bug: Process and Steps

  • Step 1: Identify the Bug

    • Confirm that the bug is within the scope of our bounty program (see "Scope and Rules") and prepare a detailed description and Proof of Concept (PoC).

  • Step 2: Submit the Bug Report

    • Include the following in your submission:

      • A description of the bug and its potential impact.

      • Steps to reproduce the bug, with screenshots or video if needed.

      • PoC for vulnerabilities, and contract details for smart contract issues.

  • Step3: Send the Report

    • Submit your report via the designated platform or send it to contact@zk.me. zkMe will respond within 48 hours.

  • Step 4: Review and Fix

    • Our security team will review the report, confirm the severity, and proceed with fixing the issue. You may receive updates during the process.

  • Step 5: Receive Reward

    • After the issue is resolved, rewards are given based on the threat level.

Conclusion

zkMe is committed to maintaining the highest standards of security and continuously improving its security posture. By fostering a collaborative relationship with the security community through our bug bounty program, we aim to identify and address potential vulnerabilities proactively. We encourage responsible disclosure and value the contributions of individuals who dedicate their time and expertise to enhancing the security of our smart contracts and applications.Together, we can create a more secure and resilient ecosystem, ensuring the protection of user funds, data integrity, and privacy. zkMe extends its gratitude to all participants in the bug bounty program for their valuable contributions to our ongoing security efforts.

Last updated