Eligibility of vulnerability reports submitted before the program closed

Community Grants
1

Hi all,

First, thanks to @ZCG, @FPF, and the core teams for running the Security & Vulnerability Disclosure Initiative, and for the transparency in both opening and closing it.

I’m posting because I’m looking for some clarification on how previously submitted reports will be handled now that the program has been closed, and I’m also curious whether other researchers here are in the same situation.

The relevant clause

The closing announcement states:

Reports already submitted before this announcement will be handled under the terms that applied at the time of submission.

So in principle, any valid, reproducible report submitted to an in-scope repository while the program was active should still be triaged, graded, and — if eligible — paid out under the original payout schedule, even though the program itself is now closed.

Where the ambiguity is

So far, advisories have only partially rolled out. Zebra has published its set, and the first advisories have begun appearing for Zaino as well. But across the in-scope repositories — zcashd, librustzcash, Zaino, Zallet, lightwalletd, zcash-devtool, z3 — many reports submitted during the active window still have advisories and remediation that haven’t been published (or concluded) yet.

Because payouts under the program were explicitly tied to the end of the triage → remediation → categorization cycle (the remediation team submits the payment request to ZCG only after that’s done), I’d like to confirm the reading that seems obvious but is worth stating plainly:

A report submitted to one of those repos before the closure date remains eligible under the original terms. The fact that its advisory hasn’t been published yet doesn’t change that — the date that matters for eligibility is the submission date, not the advisory-publication date.

Could someone from ZCG / FPF, or one of the relevant remediation teams, confirm that’s correct — and say a word about how pre-closure reports against the not-yet-published repos will be tracked through to payout now that the program is formally closed?

Community check

I’d also like to hear from other researchers: did you submit reports to any of these repositories (zcashd, librustzcash, Zaino, Zallet, lightwalletd, zcash-devtool, z3) while the program was active, and still have them in triage or remediation?

To be clear — please don’t post any vulnerability details, PoCs, or anything that belongs in a private disclosure channel here. I’m only trying to get a rough, high-level sense of how many pre-closure reports are still in flight against the repos that haven’t published advisories yet.

For context: I already have one published advisory in Zaino from this same window, and several more reports still in triage/remediation across a few of these repositories — so this isn’t hypothetical for me, and I doubt I’m alone.

Thanks again to everyone who carried the weight of this work.

1 Like
2

Thank you for raising this question. I think it is an important issue for the ecosystem because researchers need clarity and predictability when reporting vulnerabilities.

I have a technical question regarding the long-term security process:

If a vulnerability report was submitted before the bounty program closed and subsequently led to code changes, remediation work, or security hardening across multiple repositories (for example, zcashd, Zebra, lightwalletd, or Zaino), how does ZCG intend to evaluate the report’s impact when the full severity may only become apparent after deeper cross-implementation analysis?

In distributed systems, especially those with multiple independent implementations, some vulnerabilities may initially appear isolated but later prove capable of causing consensus divergence, network partitioning, denial-of-service conditions, or even inflation-related risks when combined with other findings. Will there be a formal retrospective review process for such reports, or will eligibility and severity be determined solely based on the information available at the time of initial submission?

I ask because the quality of future disclosures may depend heavily on researchers understanding how multi-stage and cross-repository vulnerabilities are assessed and rewarded.

Thanks again for bringing attention to this topic.