That’s the proof of concept. Now I want to scale it.
In March 2026, Alex “Scalar” Sol discovered a critical vulnerability in zcashd v3.1.0–v6.11.x: Sprout proof verification was silently skipped during block connection for nearly 6 years, exposing ~25,424 ZEC to a potential drain. Private disclosure, 72-hour coordinated patch across all 4 major mining pools, 200 ZEC reward paid. Zero exploitation window.
What I’m building
A unified bug bounty program for the Zcash ecosystem. One place for researchers to submit, one clear methodology (OWASP Risk Rating), one trusted coordinator. Your infrastructure is covered without you needing to run the operation.
Two things, and two things only:
Scope
Just tell me the name of your organization, the programs you run, and the repos you want covered. That’s it. A list is enough.
Budget
How much ZEC are you willing to pay per severity tier for findings in your scope? You keep the ZEC. You pay researchers directly when a valid finding comes in. Nothing moves through me.
Real-time email alert: you get notified the moment a report touches your scope via a dedicated address (e.g., zfnd@bountyzcash.org or shieldedlabs@bountyzcash.org), listed publicly on the site
Submission intake and triage routing to your team
Researcher communication
Public disclosure and Hall of Fame documentation after the embargo expires
Site maintenance, updates, and program coordination
The only cost is a flat maintenance fee for coordination and site operation. Your entire budget goes directly to researchers protecting your infrastructure and is never left with you.
Good initiative. If you want verifiable timestamps on the disclosure lifecycle, submission received, triage started, patch confirmed, embargo lifted, Hall of Fame published, ZAP1 can attest each step to Zcash. Private by default, disclosed when the researcher and org agree.
No wallet needed to verify. The proof bundle is public JSON, leaf hash, Merkle path, root, anchor txid. Anyone can check it with curl or the browser verifier at Frontier Compute - Proof Verifier . No wallet, no install.
ZAP1 doesn’t replace your notification flow. It adds a verifiable layer underneath it. You still send emails, update dashboards, ping Signal, whatever your process is. ZAP1 attests that each step happened at a specific time, anchored to Zcash. If anyone later questions the timeline, the proof is on-chain.
In practice: your intake system logs “submission received” and calls POST /attest with the event. ZAP1 returns a leaf hash. You include that hash in your email to the org. The org can verify it anytime, no account needed.
We had our first bounty paid yesterday, and it has already been fixed.
I believe the program has the potential to function effectively as a security initiative, and it can benefit from contributions since it is open-source. I am in contact with Shielded Labs, but I have not yet received a response from ZF or ZODL. However, I think Jason can share our ideas with them.
This system (bountyzcash.org), if formalized by the ecosystem, can be part of the links within Zechub as a complement to the Zcash ecosystem. This was a missing piece. Also, the Zechub website and things can be on scope as well, so Zechub can be a new org to be tracked to better secure them as well. (@dismad).
Solid framing. The “turns luck into structure” line is exactly right.
Two things I’d add to the scope conversation when orgs come in:
1. Wallet SDKs and memo parsers are underaudited relative to consensus code. The Sprout bug was in validation logic, but the next class of bugs is more likely in application-layer parsing (memo formats, address handling, SDK edge cases).
2. AI-assisted discovery should probably get its own intake track. The volume and format of AI-found issues is different from manual research. Might be worth a separate triage lane so it doesn’t overwhelm the queue.
Glad to opt Frontier Compute’s repos into the scope when you’re ready for non-core infrastructure. We run zcash-mcp, zcash-ika, zap1, and openclaw-zap1, all published, all in production use.
The Sprout disclosure story is the best argument for this platform. Six years of a silent verification skip, 25K ZEC exposed, fixed in 72 hours with zero exploitation because the right process existed. Formalized infrastructure for that coordination is overdue.
