Bountyzcash.org — Bug Bounty Infrastructure for the Zcash Ecosystem

I’m reaching out because bountyzcash.org is live, an idea from 2022, but now it has been born: ZCG Grant Idea Thread - #19 by Michae2xl

That’s the proof of concept. Now I want to scale it.

In March 2026, Alex “Scalar” Sol discovered a critical vulnerability in zcashd v3.1.0–v6.11.x: Sprout proof verification was silently skipped during block connection for nearly 6 years, exposing ~25,424 ZEC to a potential drain. Private disclosure, 72-hour coordinated patch across all 4 major mining pools, 200 ZEC reward paid. Zero exploitation window.

What I’m building

A unified bug bounty program for the Zcash ecosystem. One place for researchers to submit, one clear methodology (OWASP Risk Rating), one trusted coordinator. Your infrastructure is covered without you needing to run the operation.

Two things, and two things only:

1. Scope
   Just tell me the name of your organization, the programs you run, and the repos you want covered. That’s it. A list is enough.

2. Budget
   How much ZEC are you willing to pay per severity tier for findings in your scope? You keep the ZEC. You pay researchers directly when a valid finding comes in. Nothing moves through me.

That’s it. You define the exposure.

Screenshot 2026-04-02 at 17.38.041054×206 13.1 KB

Who is in? @ZcashFoundation, @joshs , @aquietinvestor

Screenshot 2026-04-02 at 17.55.582332×1324 261 KB

What I handle:

• Real-time email alert: you get notified the moment a report touches your scope via a dedicated address (e.g., zfnd@bountyzcash.org or shieldedlabs@bountyzcash.org), listed publicly on the site
• Submission intake and triage routing to your team
• Researcher communication
• Public disclosure and Hall of Fame documentation after the embargo expires
• Site maintenance, updates, and program coordination

The only cost is a flat maintenance fee for coordination and site operation. Your entire budget goes directly to researchers protecting your infrastructure and is never left with you.

→ bountyzcash.org
→ Hall of Fame — bountyzcash.org

Happy to answer any questions.

Screenshot 2026-04-02 at 17.35.461920×1343 196 KB

Good initiative. If you want verifiable timestamps on the disclosure lifecycle, submission received, triage started, patch confirmed, embargo lifted, Hall of Fame published, ZAP1 can attest each step to Zcash. Private by default, disclosed when the researcher and org agree.

The API is live at pay.frontiercompute.io. Happy to walk through it.

Thanks for the feedback. This fits with what BountyZcash.

A few questions:

1. Do orgs need a Zcash wallet, or is there a dashboard they can access without one?
2. How are orgs notified at each step: email, dashboard, or does ZAP1 replace that flow entirely?

No wallet needed to verify. The proof bundle is public JSON, leaf hash, Merkle path, root, anchor txid. Anyone can check it with curl or the browser verifier at Frontier Compute - Proof Verifier . No wallet, no install.

ZAP1 doesn’t replace your notification flow. It adds a verifiable layer underneath it. You still send emails, update dashboards, ping Signal, whatever your process is. ZAP1 attests that each step happened at a specific time, anchored to Zcash. If anyone later questions the timeline, the proof is on-chain.

In practice: your intake system logs “submission received” and calls POST /attest with the event. ZAP1 returns a leaf hash. You include that hash in your email to the org. The org can verify it anytime, no account needed.

API docs: pay.frontiercompute.io/protocol/info
Full protocol map: ZAP1 Protocol Map

Happy to sketch out the integration if you want to get specific.