Ny pentration tests
Security is obviously a top priority for us, however we simply do not have the time and resources to devote to the scanning and testing that it requires. We are enlisting the help of both the Zen community, and the greater InfoSec community to help find and resolve any issues.
If you discover a potential security issue, please report it as soon as possible, we will work with you to validate the issue. If the issue is validated and determined to be within scope, we will make every effort to correctly resolve it. Reporters are expected to allow a minimum of two weeks for Horizen to acknowledge the report before publicly disclosing the issue.
Currently, there is no way to make a report public after the issue is resolved. We are working on implementing this, and reporters are allowed to share reports and bounties as they see fit after the resolution is applied. If requested, Horizen can provide validation that the reporter did in fact submit a report and what bounty was awarded.
Reports may be submitted to the Bug Bounty program via the following methods:
Note: Please indicate in subject or message body that the submission is a bug bounty.
Rewards are paid out in ZEN based on the price on CoinMarketCap from the Horizen Community Fund after the issue is resolved. When possible, reports are rated according to the Bugcrowd Vulnerability Rating Taxonomy, and payouts generally follow this structure:
Note: This reward structure is under review and may change periodically.
P1: < 2500USD Payout
P2: < 1000USD Payout
P3: < 500USD Payout
P4: < 200USD Payout
P5: < 100USD Payout
If the report is for a known issue, no bounty will be awarded. Bounties may be paid for valid reports if the issue is determined to be a WontFix.
Ultimately the final call for all bounty payouts is up to a human, not a process. We will still validate and investigate any report, regardless of whether it meets our criteria or not. It's very possible that an "invalid" report will still receive a payout, or that a report will receive a higher payout then indicated above. We also may elect to award a lower payout, or no payout for valid reports. Discretion is ours and ours alone, but we try to be as fair as possible. Comparable Hackerone reports will often be used as a reference when determining payout amounts.
All Horizen software other than the website (e.g. Core zend code, Wallets, Secure Node Tracker, Zencashjs etc) is In-Scope as long as testing is performed on Testnet or pre-production servers if possible. Testing on Mainnet or production servers may remove any eligibility for a bounty.
The following lists are examples of web vulnerabilities that are currently In- and Out-of-Scope for the Bug Bounty program. These lists are not inclusive and will be updated as needed, so it's advised to check this often.
Examples of web vulnerabilities that are currently In-Scope for the Bug Bounty program:
Examples of web vulnerabilities that are currently Out-of-Scope for the Bug Bounty program:
Credit to Grabtaxi for inspiring much of the content: https://hackerone.com/grab