Bug Bounty Program
Introduction
zkMe is dedicated to ensuring the highest levels of security for its smart contracts and applications. As part of this commitment, we have established a comprehensive bug bounty program to identify and address potential vulnerabilities. By incentivizing the discovery and responsible disclosure of security issues, we aim to fortify our systems and protect our users from incidents that could lead to financial losses, service disruptions, governance compromises, or breaches of data integrity and privacy.
Reward Tiers and Threat Level Classification
To effectively prioritize and address potential vulnerabilities, we have implemented a four-tier threat level system for both websites/apps and smart contracts/blockchains. This system evaluates the severity of threats based on factors such as the potential impact of exploitation, the level of access required, and the feasibility of a successful exploit.All submissions related to web and app vulnerabilities must include a detailed Proof of Concept (PoC). Submissions without a PoC will be returned to the submitter with a request for the necessary evidence.
Smart Contracts and Applications Rewards Breakdown
Critical:
Non-user fund loss: Rewards range from 5,000 USD to 10,000 USD, calculated at 1% of the assets at risk.
High:
Rewards range from 2,000 USD to 5,000 USD, calculated at 1% of the assets at risk, if the issue remains unresolved for 1 month.
Medium:
Rewards range from 500 USD to 2,000 USD, calculated at 1% of the assets at risk, if the issue remains unresolved for 1 month.
Low:
A standard reward of 500 USD is offered for low-severity vulnerabilities.
Payouts are processed directly by the zkMe team and are denominated in USD. Bug bounty participants have the option to receive payouts in USDC or USDT, providing flexibility and accommodating individual preferences.
Scope and Rules
To maintain the integrity and effectiveness of the bug bounty program, certain vulnerabilities and activities are considered out of scope for rewards. These include:
Previously exploited attacks that have caused damage
Attacks requiring leaked keys/credentials or privileged addresses
Incorrect data from third-party oracles (excluding oracle manipulation/flash loan attacks)
Basic economic governance attacks, such as 51% attacks
Liquidity issues, critiques on best practices, and Sybil attacks
For websites and applications, vulnerabilities that are deemed out of scope include theoretical risks without PoC, content spoofing, self-XSS, and other low-impact findings. Additionally, vulnerabilities that require privileged organizational access or are classified as feature requests or best practices critiques are not eligible for rewards.To ensure the safety and fairness of the bug bounty program, participants must adhere to the following rules:
All testing must be conducted on private testnets; testing on mainnet or public testnets is strictly prohibited.
Interactions with pricing oracles or third-party smart contracts are not allowed.
Phishing or social engineering attacks are strictly forbidden.
Testing with third-party systems and applications is not permitted.
Initiating denial of service attacks is prohibited.
Automated testing that generates significant traffic is not allowed.
Public disclosure of unpatched vulnerabilities under an embargoed bounty is strictly prohibited.
Conclusion
zkMe is committed to maintaining the highest standards of security and continuously improving its security posture. By fostering a collaborative relationship with the security community through our bug bounty program, we aim to identify and address potential vulnerabilities proactively. We encourage responsible disclosure and value the contributions of individuals who dedicate their time and expertise to enhancing the security of our smart contracts and applications.Together, we can create a more secure and resilient ecosystem, ensuring the protection of user funds, data integrity, and privacy. zkMe extends its gratitude to all participants in the bug bounty program for their valuable contributions to our ongoing security efforts.
Last updated