Bug bounty · Zoza Auth

Crack the crypto. Cash prize coming soon.

Zoza Auth holds the "approve or deny" gate for every customer bank that integrates us. The single most valuable thing you can tell us is "here's a way to forge an approval". Scope is published today; dollar payouts activate once our first paying pilot signs — we won't advertise numbers we can't cut a cheque for. Until then: credit, triage, CVE assignment, hall of fame. Reports to security@zoza.world.

⚠ Honest status: Zoza Auth is pre-revenue. We publish the scope, SLA, and safe-harbour today so good-faith researchers have everything they need. A funded bounty tier with specific dollar ranges will be announced publicly on the same commit that flips the program status from pre-revenue to first-paying-customer.

Severity tiers · cash payouts coming soon

Critical

Coming soon

Forge an approved challenge without device cooperation. Break ConstantTimeCompare. Recover device private key from public API.

High

Coming soon

Replay a used challenge. Bypass rate limit. Admin-token extraction via any endpoint. DoS that halts the gateway for 10+ minutes.

Medium

Coming soon

Information disclosure beyond policy (leaking another customer's audit rows). Missing validation that allows stored XSS in admin UI fields.

Low

Coming soon

Missing security headers, CSRF on low-risk admin forms, verbose error messages exposing internals, timing leaks under 10µs that don't yield key material.

Tier classification is binding today — confirmed reports are assigned a tier and held in the hall of fame. Dollar amounts per tier publish when the program is funded. Reporters who file before funding are paid retroactively at the tier they were confirmed into. Keep your testing to your own issued app, please.

In / out of scope

✓ In scope

auth.go cryptographic path — computeAuthProof, VerifyResponse, IssueChallenge.
Applications and admin endpoints under /admin/*.
Gateway routing at https://auth-api.zoza.world.
Go library at products/zoza-auth/*.
Postgres schema at auth_* tables (injection, RLS bypass).

✗ Out of scope

Phishing / social-engineering of Zoza employees.
Physical security of Fly data centers.
3rd-party dependencies (pgx, golang/x/crypto) — report upstream.
Rate-limit probing that creates >1,000 apply submissions.
Self-XSS in your own browser.
Attacks requiring already-compromised admin credentials.

Responsible disclosure SLA

0h: you email security@zoza.world with PoC + impact.
< 24h: we ack receipt + open an internal ticket.
< 72h: we classify severity + confirm tier (or appeal process if we dispute).
< 30 days for critical / high, < 90 days for medium / low: we ship a fix.
Fix + 72h: public disclosure. Reporter credited (unless they opt out) with name / handle + optional social link.
Payout: activates on first paid pilot — retroactively paid to every prior confirmed report at the tier they were assigned, via wire / USDC (Base or Arbitrum), within 14 days of that commit landing.

Safe-harbour

Testing that follows this policy, stays within scope, and does not exfiltrate real customer data is explicitly authorised under the India IT Act 2000 § 43A consent carve-out. You will not be sued for clean testing conducted in good faith against your own issued app. We will even shield you against accidental third-party complaints that name you as the originating IP, provided you notified us in writing before the test.

Hall of fame

Every confirmed report is listed here with reporter credit (unless opted out) + assigned tier + resolution date. This list will populate as the program ages — no planting of straw reports. Tiers here are what retroactive dollar payouts pay against once funded.

No confirmed reports yet. Be the first.