@Mike82 See the first post in this thread.
1 Like
The issue he found is the one artkor posted i thinl
Hello! Please be patient.
We have deliberately never answered questions about what this procedure looks like. Because, you know, I personally am against constantly pestering someone with questions, quoting their messages from private correspondence, and all that stuff, you know. Yes, maybe we canāt handle the case under request number 567893 and donāt adhere to corporate ethics standards like JP Morgan, but thatās exactly why I mentioned earlier that Zcash is a decentralized community. But that doesnāt mean we arenāt addressing this issue. Just please keep in mind that there were over 80 claims. The developers have done their part of the massive work, and now the final verification of all the data is underway. It takes time because the issue involves money and itās important work. So this issue is being addressed, and I hope weāll finish next week and announce the results.
We had reached a point where the issues being reported were largely duplicates of those already identified. All of this was placing a huge burden on the developers, and we would have simply stalled our main plans for updating the Zcash NU7 protocol. So, to avoid spending a huge amount of time later figuring out who found a particular issue first and who found it second, we decided to shut down the program. Another reason was that it became completely obvious that vulnerabilities were mainly being found by neural networks, which are accessible to absolutely everyone. Thatās about it, I guess.
2 Likes
Hey @artkor
@Danika has reached out, but I also have several other findings that have already been validated and accepted by maintainers in repositories that I understood to be within the scope of the Security Vulnerability Disclosure Initiative, including:
-
Zcash: 1 accepted Low severity finding
-
Zaino: 3 accepted Low severity findings and 1 accepted Medium severity finding
-
Lightwalletd: 1 accepted Medium severity finding
Could you please clarify whether compensation decisions for these accepted reports will be communicated separately, or whether they are currently under review as part of the same process?
In addition, there are several other accepted findings that are still pending remediation and therefore do not yet have published advisories. Will those be considered in a future review cycle once remediation and disclosure are complete?
If additional accepted reports are expected to be compensated in the near term, would it be preferable to consolidate payments into a single transaction, or should I expect separate payouts as each report is approved?
Hi @ouicate,
Danika has already reached out regarding the currently approved payout. At this point, the next step is for you to provide the requested payment information, including a shielded address, so that the approved payout can be processed.
To answer your broader question: the upcoming announcement this week will focus specifically on the Zebra reports.
The other reports you mentioned, including reports in repositories such as Zcash, Zaino, Lightwalletd, and Wallet, will not be included in this weekās results or payment decisions.
Any additional reports would need to be handled separately through the appropriate review process, once remediation is complete and public advisories can be properly coordinated.
For reports that are still pending remediation or have not yet been publicly disclosed, we cannot discuss eligibility, severity, payment expectations, timelines, or review status in this thread.
If there are further updates regarding process or payment handling, they will be communicated through the appropriate administrative channel.
For now, please provide the requested payment information to Danika so the currently approved payout can move forward.
1 Like
We can confirm that we have received their shielded address and have sent the approved payout amount.
hi @artkor
what is ZCGās final decision regarding Zebraās critical reports that were submitted before the bounty program launched?
since then, there have been some comments and reactions, and the majority, including the core engineers handling the reports, appear to be in favor of applying it retroactively.
could you share ZCGās position on this?
thanks
1 Like
What of my payout ?
No one has reached out to me regarding payout
I didnāt receive any message for payout address
Hereās my email: vantur.agency@gmail.com
Hello @0x15 We did not have your email address and were unable to confirm whether this forum account belongs to the same person as the associated GitHub account. As a result, we sent a direct message to the X account listed on the GitHub profile yesterday.
Please log in to that X account and follow the instructions in our message to verify your identity. Thank you!
Oh i just checked my message request. I have seen your message
Will respond to he designated mail included in the message
Thanks!
1 Like
@artkor
I am also waiting for clarification on payout.
For example, I was credited on this published Zebra security advisory:
GHSA-pvmv-cwg8-v6c8
Severity: Critical / 9.3
I have not received any payout information or payment verification request yet.
thanks
Even if it isnāt the full amount outlined in the official Bug Bounty program, it would be great to receive some form of recognition for the time and effort we put in. As I mentioned before, I donāt think anyone who submitted reports before the official Bug Bounty program launched is expecting a $150,000 payout. That said, an appreciation payment would be a nice gesture and would go a long way toward acknowledging those contributions.
3 Likes
I think so
I think I was missed in this payout(GHSA-pvmv-cwg8-v6c8) too
1 Like
Iām following up on GHSA-pvmv-cwg8-v6c8. Iām an accepted reporter in the GitHub advisory credits for this GHSA (Zebra, Critical), and I was also thanked by name in the v4.4.1 release.
Iāve checked every available channel ā email, GitHub, and this forum ā but have not received any verification or payout request.
@ZCG / @artkor: could you please confirm whether @fivelittleducks is included in the payout review/request for this GHSA? If yes, please send instructions to fivelittleducks2021@gmail.com. If not, could you please let me know the reason?
@conradoplg: could you help confirm whether the remediation , ZCG payout handoff for this GHSA included @fivelittleducks?
3 Likes
@Shawn Is this bounty program still ongoing? Also how do i post my grant proposal?
The bounty program is closed per the OP of this thread.
1 Like