Zel LogoText

Zel Bug Bounty Program

The Zel Community and Foundation are happy to announce –“ The Zel Bug Bounty Program ” to reward security researchers and developers who invest their time and effort in finding bugs or exploits and reporting them through the attached procedure for responsible disclosure of qualifying security vulnerabilities. Please, contribute to our code! – Daniel Keller CSO

What can you earn?

All bugs will be evaluated according to the CVSS scoring scale and rewarded accordingly. The CVSS levels are:

table bounty program

Base level rewards are:

None: 10$ in Zel for purely cosmetic bugs
Low: 10-200$ in Zel for low order bugs.
Medium: 200-1000$ in Zel
High: 1000-3000$ in Zel
Critical: 3000-5000$ in Zel

These are set in Zel once a year so may not match the number depending on the market.

For High and Critical level bugs, there are multipliers for incentivized exploits, Coin destructive exploits as well as chain splitting or halting exploits. However, the exact nature of these multipliers will not be disclosed publicly. So, if you do happen to have something of that nature, please do reach out and we will make accommodations.

Responsible Disclosure Policy

To encourage responsible disclosure, no legal action shall be taken against you, provided you adhere to the following points:

1 For Zelcore related issues: Exploits and bugs are restricted to your own account or instance of the Zelcore wallet and have been carried out for validation purposes only.

2For website related issues: No data is removed from the website upon discovery.

3The Zel Blockchain and nodes: Any and all exploits be confined to a private testnet or regtest for validation purposes. Any code modifications carried out to run exploits need to be disclosed along with the effects for full validation.

4For the Flux distributed operating system, any and all exploits are confined to their own nodes for validation purposes. Should additional nodes be required to fully validate more serious exploits, the Zel team will assist with a private testnet.

5Submissions can only be made to [email protected] or via direct message to a developer on Discord in either case using the attached PGP keys for encryption is a requirement.

6Include an email for responses in your report.

7Adhere to timeframes laid out in initial confirmation of report emails.

How it works:

AAdhere to the Responsible Disclosure Policy

BMake all possible effort to not interrupt or degrade our service.

CDo not attempt to gain unauthorized access to user accounts, assets or information (use your own account/accounts to test against).

DDo not copy or modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.

EDo not exploit a security issue you discover beyond the point of validation on own accounts/nodes.

FWe publish a list of researchers who have submitted valid security reports.

GHowever, should you wish to remain anonymous, we will respect your privacy.

HWe reserve the right to determine timeframes for publishing reports (and accompanying updates) pertaining to each instance. However, we will provide best effort information to you on all such issues.

Eligibility Requirements

We have the right to remove you from the Bug Bounty Program and disqualify you from receiving any bounty rewards if you: Are in violation of any national, state, or local law or regulation

Scope of Services covered by the programme:

  • (Apps): ZelCore (Win/Linux/MacOS X) – must be on the latest/recent update (released in the last 30 days)
  • (Mobile): ZelCore Mobile – latest available release on Google Play store and Apple App store
  • (Libraries): zeltrezjs library
  • (Website): zel.network, my.zel.cash
  • (Email): @zel.network, @zel.cash
  • (Open Source): Zel/Zelnode Daemon, Flux, Zel-ID, etc.
  • (Infrastructure): ZelCore explorers & other servers hosted by Zel Team

Out-of-scope Service

  • Third-party libraries
  • Infrastructure not managed by Zel Teams such as Public Explorers and ZelNodes run by community members

Qualifying Bugs

1 Injection flaws such as SQL, noQSL, Mongodb, OS injection that tricks command interpreter into executing unintended commands without proper authorization.

2Broken authentication/session management that allows compromise of passwords, keys, or session tokens

3Sensitive data exposure due to improper protection of data via insecure API or flaw in cryptography implementation3

5Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context

6Remote code execution (RCE)

7Insecure Direct Object References

8Privilege Escalation

9Significant Security Misconfiguration (when not caused by user)

10Directory Traversal

11Open Redirects

12Spoofing enablement

13Any significant abuse-related methodologies that could lead to significant harm The above list is by no means exhaustive, so if you have a bug not on it but not on the excluded list, do reach out, it is covered.

Non-Qualifying Bugs

1Non-original or previously disclosed/reported bugs (with fixes currently underway).

2Non-technical attacks such as social engineering, phishing, or physical attacks against entities or infrastructure.

3Any degrading/damaging the reliability or integrity of our services (such as DDoS attacks, man in the middle attacks, spamming, and similar questionable acts)

4Any software not directly produced by the Zel Team

5Domains hosted by third parties (e.g.: Github, Gitlab, etc)

6Subdomains operated by third parties (e.g: info.zel.cash)

7Any Zel branded services operated by third parties

Non-Qualifying Bugs

Send an email using these below PGP keys [email protected] is the only email to use. Failing to use the attached PGP keys for the bug report will invalidate any security issues higher than level 2 on the CVSS scale.

1Write up a report on your findings.

2PGP Encrypt the report with keys from URL

3Within 24 hours you will have an acknowledgement

4Adhere to timeline and additional information requests from the Zel team outlined in the acknowledgement email.

5Discuss publication times and names.

6Collect bounty

7Get published

-----BEGIN PGP PUBLIC KEY BLOCK-----

  mQENBF9aW/oBCACeTz66NgwhKzlGVNN65SlwFwUbrhBljDC393ww0pO1kdjDtIBu
  VkHknJeTaXbeGSKYXskQgL8hORIhoOxSsbRSFaq6s3e/dHukUOR3g2tp1myFMvsK
  stATCdWzWQNAe/7EMEnvenW6B9NwZd2bCXweIVneXZGzqwMaMqKGwR+cH47ngve7
  LtpJC9NLQ3hOAoyRTKmvaCkSCVAek4uGa4QYiRJgr866QYuag09sTUUOVMpq8H/T
  kiRHGRDLvFWeObvreBM9eJv5zwhwTItqNtb6mIzkL8InJYhsRqR8+bHdH7z3QtMb
  eRaG0A8mGKaGXIQXL+6eGUJasKqaEpeonIYRABEBAAG0K3NlY3VyaXR5QHplbC5u
  ZXR3b3JrIDxzZWN1cml0eUB6ZWwubmV0d29yaz6JAU4EEwEIADgWIQSRhMlBCliD
  ig7+bBCgOr/bRBsxiQUCX1pb+gIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAK
  CRCgOr/bRBsxiRbsB/40/fxFiDgp9cXcfciQOEAMoZ6APMEUFLj3+RTJeJuRA+Xf
  w4/6Z3kvxcDWXxWPh94QPWFzZtt1LKYDhs/p0CG7IyWN5k3fKCJ0XobjND7MDycp
  DrOVD8D13Ez2xV2ZeRhJoTPron6mCy8xhU2e7lTduvyxnjKSWEAxZj3Gh58b/Jqa
  A7t1Y+gH1QFAAKNVutPgmEtwbBiXk/VCEricy0SOq43vaN2YrW56GAhtbrdRFmiw
  CrwqA5wU7ZkcFRq2YHHb6S+u4p4bA7/aezgvlM/oZCbH1PbdASApEkztRk46D72o
  PCq799tb4lKvDh2eqX1Z7Fvbh2poacY72/xc/EaLuQENBF9aW/oBCAD7CDpbaiME
  txr2aHw6O2oAfhZ+FhAZYgnPhy5aHwt0C/3I8Kc7SdvigEhKlhdmwjGxvh9i6h/3
  xQ5no5eH7YsPDqU/00G2igVl5Ph3N5wJYmqe1MNP8eCNd9jTLuNhnK07Vbdjfo33
  +88hxOFYf78gcv/O/SgX1EHecl6DFrNZZaqzLr1wIDAJZbeLZe4mQpIyTZ2wC2ys
  anZlF7Y4MJixWE9prpIjd4JPfxhj1kp1+MLGWxj6/YbRexeU8jS153EO92Yvepbf
  2bQf5X2UZyhcacTSLtvXFW5S80BBqDLYA/elzHhyhNQz3MCxFUrWQwlie1iOnNHY
  Yakei53UczZzABEBAAGJATYEGAEIACAWIQSRhMlBCliDig7+bBCgOr/bRBsxiQUC
  X1pb+gIbDAAKCRCgOr/bRBsxiWc3B/4iMsGrhNMyB8ab8jUwTuW4JXF8Et5X6gvJ
  I5pTR33euZgtupRF3H/QyqpL2u5vc/vLFpqH4khjuvAaLHt8gNRCoMqJoPQi3Oli
  3J2bIKOFz5JXsVTFyWCYYOzJENgoxkfOV+qxvvzBWcTbyZoHTsY1/BqDGEnE49rt
  YG9XJ9OWkTp1MMOSHKmTfxR1JSIxlr1HUDDBnEef4qzR/TnQZW6PVqZQpc6LlZFb
  D0ko5jJrW5uU9d4NYySO5/lr07PxQ10DbJL3RAQCKiNczP/pU8YhJ+BGgod5kZi5
  tCuvxUjUzXCP0d7/0o7anQN7meq/P+JLKZRZmIzCH1ISwsDztyur
  =crmk
  -----END PGP PUBLIC KEY BLOCK-----