Responsible disclosure

Scope, severity tiers, SLA, and safe-harbour are published and binding today. Cash rewards activate once Vault closes its first paying pilot — researchers who file before that are paid retroactively at the tier we confirmed them into.

🟡 Scope live · cash payouts coming soon

⚠ Honest status — no cash rewards yet

Vault is pre-revenue. Advertising dollar bounties we cannot pay would be dishonest — we've seen enough "bounty ghosting" in this industry to know it damages researchers more than the companies doing it. This page publishes the full scope, safe-harbour clause, and report path today so good-faith researchers have everything they need. Specific dollar ranges per tier publish on the same commit that flips Vault's status from pre-revenue to first-paying-customer, and pay out retroactively against every confirmed tier in the hall of fame.

Why this exists

Vault holds the plaintext-to-ciphertext conversion for regulated data: patient records, payment cards, SSNs, insurance IDs. A bug in Vault is worse than the bug it was meant to prevent — customers trust Vault to keep plaintext off the CDN layer, and a silent bypass is a regulator-reportable breach.

The scope is deliberately narrow. We want depth on the highest-impact classes — cryptographic bypass, key extraction, timing side-channels — not volume on low-severity UX issues.

Scope

In scope

Asset	Description
`products/zoza-vault/vault.go`	Core Seal/Open primitives — Curve25519 + HKDF + AES-GCM
`products/zoza-vault/padding.go`	v2 fixed-block padding wire format. Length-inference attacks in scope
`products/zoza-vault/timing.go`	Constant-time decrypt wrapper. Timing-side-channel escapes in scope
`products/zoza-vault/server.go`	HTTP API — app register/rotate, decrypt, public-key, applications
`products/zoza-vault/applications_handlers.go`	Apply + admin approve/reject. Admin-token escapes in scope
`products/zoza-vault/sdk/vault.js`	Browser SDK — X25519 + HKDF + AES-GCM in Web Crypto
`vault-api.zoza.world`	Production HTTP API
`frontend-web/public/developers/vault.html`	Developer docs + public apply form. XSS / injection in scope

Out of scope

Shared zoza-products Fly host and Cloudflare DNS (report to hosting programs).
Other products (Shield, Auth, Verify, Sign, AI Agent, Messenger) — each has its own bounty scope.
Non-Vault pages on zoza.world — marketing only.
Social engineering of Zoza staff.
Denial of service (unless cryptographically elegant — e.g. an AAD oracle causing quadratic work).
Physical attacks on Fly.io datacenters.
Missing security headers without demonstrable exploit.

What counts as critical

Decrypt any stored ciphertext without the target app's private key.
Extract an app's private key from any public endpoint, log, or side-channel.
Produce ciphertext that OpenField accepts AND decrypts to attacker-chosen plaintext (AAD bypass, nonce reuse, GCM forgery).
Timing side-channel distinguishing decrypt-success from decrypt-failure with statistical significance over 10,000 samples after the constant-time wrapper applies.
Length-inference against the v2 padded wire format — any ciphertext feature that reveals plaintext length bucket.
Admin endpoints reachable without the admin token.
SQL injection, command injection, or XSS with customer-data exfiltration in the admin UI.
Any path from a public-internet request to reading another app's private key or plaintext.

Severity tiers · cash rewards coming soon

Severity	Range	Criteria
Critical	Coming soon	Cryptographic break, key extraction, auth bypass at admin layer, stored-ciphertext decrypt without key
High	Coming soon	Partial plaintext leak (e.g. reliable length distinguisher), timing distinguisher, admin-role escalation
Medium	Coming soon	Reliable DoS against decrypt path, app-confusion attack, cross-account info leak (not plaintext)
Low	Coming soon	Reflected XSS in docs, CSRF on non-mutating endpoints, CORS hardening without demonstrable exploit

Tier classification is binding today — confirmed reports enter the hall of fame at the confirmed tier. Dollar ranges per tier publish and backfill retroactively once the program is funded by a paying pilot. Reports that include a reproducible test case against main (2×) or a working patch (3×) earn the multiplier on the tier they land in.

Rules of engagement

Test only against the staging instance at vault-staging.zoza.world (provisioned on first report). Do not run volumetric tests against production.
Never exfiltrate plaintext you encounter. If you see real customer data, stop, document in redacted form, and report immediately.
No public disclosure until 90 days or our published fix, whichever is earlier. We commit to initial triage within 72 hours of submission and a public CVE / advisory within 30 days of the fix.

✓ Safe harbor

We will not pursue legal action against researchers operating in good faith within this scope. This commitment is binding and published — not a "we'll decide later" promise.

How to report

Email security@zoza.world, encrypted with our PGP key (fingerprint in security.txt).
Include: bug class, minimal reproducer, commit hash, and preferred future-payout rail (USDC on Arbitrum / Base / Solana, or USD wire after KYC). Rail honoured when the program activates.
We acknowledge within 24 business hours and issue a triage ID within 72.

Hall of fame

Every confirmed report is listed here with reporter credit (unless opted out) + assigned tier + resolution date, starting today. Tiers here are what retroactive dollar payouts pay against once the program is funded. No planting of straw reports.

No confirmed reports yet. Be the first.