Responsible disclosure · scope published

Break Shield. Cash prize coming soon.

Shield is a security tool. A silent bypass is worse than the drain it was built to stop. We publish the full scope, severity tiers, SLA, and safe-harbour today — and we'll activate dollar payouts the day our first paying pilot signs. Researchers who file before that are paid retroactively at the tier we confirmed them into.

Scope: Shield only Payouts: coming soon Platform: Immunefi (on activation) Safe harbor: yes — today

⚠ Honest status: Shield is pre-revenue. Advertising a dollar bounty we cannot cut a cheque for would be dishonest. Scope and tiers are binding now; dollar ranges publish on the same commit that flips the program from pre-revenue to first-paying-customer.

Severity tiers · cash payouts coming soon

Critical

Coming soon

Silent bypass of Permit2 / approval decoder. Forged audit-log entry that verifies. Issuing a valid API key without admin token. Extracting the HSM-backed root key from `shield-sign-hsm` memory.

High

Coming soon

Wrong risk tier shown for a critical action. Mis-signed registry the extension accepts. Revoked cosigner still accepted by multisig verifier. Quota bypass on B2B endpoints.

Medium

Coming soon

Modal dismissible without typed-ack for critical. Clipboard guard false negative on a specific format. Wrong `X-RateLimit-*` headers causing integrator miscounts.

Low

Coming soon

Logic errors that don't weaken the model. Misleading but non-exploitable warning copy. Minor UX that affects security comprehension.

Tier classification is binding today — confirmed reports enter the hall of fame at the confirmed tier. Dollar ranges per tier publish and backfill retroactively once the program is funded by a paying pilot. Payouts, on activation, in USDC on Ethereum mainnet or a mutually-agreed L2 stablecoin.

What's in scope

Asset	Status	Notes
`products/zoza-shield/extension/**`	In	Highest priority. `inpage.js` provider hook is the bigger target.
`products/zoza-shield-sdk/**`	In	Published as `@zoza/shield`. Decoder parity issues between SDK and extension count as High severity.
`products/zoza-shield/*.go` (backend)	In	Registry API, audit log, multisig verifier, B2B decoder, API-key store, Shield URL check.
`products/zoza-shield/cmd/shield-sign-hsm/**`	In	PKCS#11 HSM signer. Leaks of key material from process memory are Critical.
`products/zoza-safe-guard/**` (Solidity)	Post-audit	In scope after external audit completes. Pre-audit issues are welcome but not paid until fix lands and audit re-confirms.
`shield-api.zoza.world`	In	Production HTTP API.
Shield transparency pages (`/about/shield-audit.html`, `/about/shield-canary.html`)	In	Client-side verification bugs that cause a false "valid" are Critical.

Out of scope

Zoza Messenger / zoza-backend.fly.dev — separate bounty scope coming.
Other products (zoza-auth, zoza-verify, zoza-vault, zoza-ai, zoza-sign) — each gets its own program on launch.
Third-party dependencies unless the vuln is caused by how Shield uses them.
Large-scale DoS (rate-limit burn issues at sustained >1000 rps are in scope; flood DDoS is not).
Self-XSS, social engineering against Zoza staff, lost-phone physical attacks.
UI / UX bugs that are not security issues — open a PR, not a bounty.
Missing best-practice headers on non-sensitive marketing pages.

Safe harbor

We will not sue researchers who follow this policy.

Researchers acting in good faith and within this scope are authorized to reverse-engineer, decompile, and test against their own wallets. Zoza will not pursue action under the CFAA, India's IT Act § 43/66, the DMCA, or equivalents.

Safe harbor does NOT cover: attacks against real user wallets/balances (test with your own funds); exfiltrating other users' data (stop and report if accidental); destructive testing against production; physical attacks.

Disclosure rules

Private disclosure first. No tweets, blog posts, or conference talks until fix + embargo.
90-day embargo from acknowledgment. We update you every 21 days.
If we don't respond in 5 business days (or 24h for Critical), you are released from embargo.
Coordinated disclosure preferred. Joint post-mortem published once the fix ships.
You choose: credited by name, by handle, or anonymous.

Submit a report

Preferred: the Immunefi reporting form (link appears here once Zoza is listed).

Otherwise: PGP-encrypted email to security@zoza.world with [SHIELD-BOUNTY] in the subject. PGP key at /.well-known/security.txt.

Email a report

Hall of fame

As valid submissions land, acknowledged researchers (with permission) will be listed here by handle and submission date. No entries yet — be the first.