Responsible disclosure · scope published

Break Sign. Cash prize coming soon.

Sign exists to catch the class of attacks that stole $1.46B from Bybit, $625M from Ronin, $235M from WazirX. If Sign misses one, we want to know before our customers lose funds. Severity tiers below are binding commitments today; cash amounts activate the day our first paying pilot signs — researchers who file before that are paid retroactively at the tier we confirmed them into.

⚠ Honest status: Sign is pre-revenue. Advertising a dollar bounty we cannot cut a cheque for would be dishonest. Scope + SLA + safe-harbour are live now; dollar ranges per tier publish on the same commit that flips the program from pre-revenue to first-paying-customer.

Severity tiers · cash payouts coming soon

critical

Class break: a UI-vs-bytes attack the decoder fails to flag, reproducible on the production API, where the real-world incident class (Bybit, Ronin, WazirX) would NOT have been blocked.

Example: you construct a raw tx + intent pair where destination or amount disagree but /v1/verify returns risk_level: "safe".

Coming soon

critical

Signature forgery or audit chain break: produce a receipt that verifies against the published authority pubkey but wasn't issued by Sign, OR break hash-chain validation on a log we publish.

Must NOT rely on compromising our production key — that's an infrastructure breach, out of scope.

Coming soon

high

Partial-decode bypass: a raw tx the decoder mis-classifies in a way that downgrades a critical method (upgradeToAndCall, setApprovalForAll, Safe execTransaction) to a benign category, making the comparator silent.

Coming soon

medium

Rate-limit bypass, admin-token leak via verbose error, audit-log entry tamper not caught by Verify(), canonicalization divergence between Go server and TS SDK that breaks receipt verify in one direction.

Coming soon

low

Info leaks (stack traces, internal path disclosure), XSS in admin dashboard, CSRF on admin endpoints, missing security headers, weak TLS config.

Coming soon

Tier classification is binding today — confirmed reports enter the hall of fame at the confirmed tier. Dollar ranges per tier publish and backfill retroactively once the program is funded by a paying pilot.

In-scope

✓ sign-api.zoza.world — all paths under /v1/, /v1/admin (if you've guessed a token), /health

✓ @zoza/sign npm package — canonicalization, verify paths, type safety leaks

✓ zoza.world/about/sign* — the live decoder + canary + retention pages

✓ zoza.world/developers/sign.html — apply form behavior + XSS

✓ zoza-admin.fly.dev/dashboard/products/sign — admin proxy routes + RBAC

✓ The audit log hash chain — tamper detection, signature forgery, canonicalization

Out of scope

✗ Physical security of our Fly.io infrastructure (that's Fly's bounty).

✗ DDoS / volumetric availability attacks. Not a vulnerability, a cost problem.

✗ Self-XSS that requires pasting a payload into your own devtools.

✗ Anything requiring social engineering of a Sign employee.

✗ Missing rate limits on free endpoints that don't touch any keyed state.

✗ Findings already documented as "NOT yet built" on the overview — e.g., full RLP decoder, webhook delivery.

Rules of engagement

Do not exfiltrate real customer data. Use your own test applications + test exchanges.
Do not attempt DoS. Throttle your tests.
First valid report wins — duplicates rewarded at 20% of the original at our discretion.
Report via email only to security@zoza.world, PGP key on transparency page.
Embargo: don't publicly disclose until we've fixed. We commit to a 72-hour critical SLA + 30-day maximum embargo for anything lower.
No bounty if the bug is introduced by your own modification — the production deployment is the target.

Example — the top-tier one

Target: signature forgery

Construct a SignedReceipt JSON with valid verification_id, exchange_id, status, timestamp, and signer_pub matching the current authority, such that POST /v1/receipts/verify returns {valid: true} — but the receipt was never issued by Sign (no corresponding entry in the audit log).

Why this is top-tier: it would let anyone forge compliance evidence that no transaction ever verified actually did. A single such forgery, on a $1B withdrawal flow, makes Sign worthless as an audit layer. The tier reflects impact, not effort.

Target: Bybit-class miss

Take the Bybit attack tx from Etherscan (the Safe implementation upgrade, Feb 2025 — easy to find via Chainalysis or Elliptic reporting), construct a plausible "transfer" intent the attackers' compromised UI would have shown, and if /v1/verify returns risk_level != "critical" — report it. Guaranteed tier-1 classification; retroactive cash at activation.

Program launched 2026-04-17. No time-bounded expiry — the program will exist as long as Sign does. Cash payouts (in USDC or bank transfer) activate on first paying pilot, and backfill retroactively against every confirmed tier in the hall of fame at zoza.world/about/sign-bounty.