Zilliqa is enabling new decentralized business models which remove middlemen and inefficiencies. The trustless connections formed on Zilliqa’s blockchain are creating new ways of interacting and trading with each other and we’ve only just begun unfolding the possibilities.

Zilliqa invites you to test and help secure our primary publicly facing assets - focusing on our cryptocurrency platform and smart contract language/implementation. We appreciate your efforts and hard work in making the internet (and Zilliqa) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy.

NOTE: Vulnerabilities that are not included within the VRT will be rewarded in a different manner as described below.

It is important to note that in some cases, a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full and detailed explanation will be provided to the researcher, along with the opportunity to appeal and make the case for a higher priority.

This program contains some repositories that need to be assessed in code and with the installation of the testnet. Vulnerabilities concerning the code itself or testnet will be rewarded based on the table as shown below.

Vulnerability categories

P1 categories:

Remote Code Execution of a Zilliqa node

Remote Code Execution of a Zilliqa lookup node

Any methods of siphoning or creating funds

P2 categories:

Remote Code Execution of the Zilliqa Savant IDE

Security bugs or issues in the cryptography relating (Non third-party) to key generations, encryption, decryption, signing, and verification

Smart Contract vulnerabilities that can destabilize all DApps within the ecosystem

P3 categories:

Denial of Service (termination of process) to a Zilliqa lookup node

Denial of Service (termination of process) to a Zilliqa node

Denial of Service (termination of process) to the Zilliqa Savant IDE

P4 categories:

Denial of Service (unable to progress with the consensus protocol) to a Zilliqa lookup node

Denial of Service (unable to progress with the consensus protocol) to a Zilliqa node

The following documentation and matrix is exclusively for the https://github.com/Zilliqa/staking-contract target

Documentation Type Links Seed Node Staking Mechanism Improvement Proposal https://github.com/Zilliqa/ZIP/blob/master/zips/zip-11.md Staking Contract Specification https://github.com/Zilliqa/staking-contract/tree/bug_bounty/contracts Developer Portal https://dev.zilliqa.com/docs/staking/phase1/staking-phase1-overview Scilla documentation https://scilla.readthedocs.io/en/latest

Technical Severity Vulnerability Type P1 ($3,000 - $6,000) Vulnerabilities that allow unauthorised draining of≥​100K testnet $ZIL, Vulnerabilities that allow unauthorised unlimitedminting of $ZIL within a day P2 ($1,500 - $4,000) Vulnerabilities that allow unauthorised draining of<100K testnet $ZIL, Vulnerabilities that allow limited unauthorisedminting of more than 10,000 $gZIL within a day P3 ($500 - $1,500) Unintended smart contract state (e.g. illegalmodification of contract parameters), Vulnerabilities that allow limited unauthorisedminting of up to 10,000 $gZIL within a day P4 ($200 - $800) Determined on a case-by-case basis

Due to the nature of the https://github.com/Zilliqa/staking-contract target, this above matrix is just a guideline on how we'll accept particular classes of issues and we will make an honest effort to determine the right priority level on a case by case basis

Reward table