A clarifying question on how funded fuzzing proposals interact with this Disclosure Initiative, because I think the answer might also be a way to save the pool money.
The Initiative (ZCG Security & Vulnerability Disclosure Initiative) pays per validated vulnerability. Separately, ZCG has already approved a coverage-guided fuzzing infrastructure project for Zebra (Zebra Coverage-Guided Fuzzing Infrastructure), which is a grant for development work that will, by design, surface vulnerabilities.
The mechanism question is: when the funded Zebra fuzzing project finds a bug, does that bug get paid out separately from the $1M Disclosure Initiative pool based on severity, or is it
considered “delivered” under the monthly grant and therefore not eligible for an individual bounty?
The answer matters because there are really only three possible models, and they have very different cost profiles for ZCG:
- Additive: grant + per-bug bounty. Researcher wins big; the $1M pool drains quickly. Probably not sustainable.
- Exclusive: grant instead of individual bounty during the funded period. Predictable cost for ZCG; researcher trades upside for stability.
- Split: grant pays for infrastructure/operation overhead, bounty still pays per validated finding. Cleanest alignment of incentives, no double-counting.
Whichever model you pick for the Zebra fuzzing project becomes the natural precedent for any future complementary proposal targeting the rest of the in-scope ecosystem (lightwalletd, zaino, librustzcash, etc.).
Asking concretely: right after the Initiative was announced on April 28, I provisioned a dedicated server (32 GB RAM, 8 cores) and pointed coverage-guided fuzzing at the parts of the in-scope ecosystem the funded Zebra project does not cover. Roughly one week in, that single server is currently running:
- 5 Go fuzz harnesses against lightwalletd parsers (systemd-managed)
- 3 cargo-fuzz harnesses against zaino (full block, raw transaction, into_compact) at ~424k execs/sec
- 2 parallel cargo-fuzz workers against the librustzcash equihash crate at ~200k execs/sec
Output to date: GitHub Security Advisories filed across the three and under maintainer review. Can someone confirm that they can see them?
- PZ-001/002 (librustzcash) - 2 sent
- ZA-001/002/003 (lightwalletd) - 3 sent
- ZB-001 + ZB-002 (zingolabs) - 2 sent
Example: IF those five bugs were validated, I found that they end up paid through the Initiative at standard tier rates (Supporting Infrastructure for lightwalletd/zaino, Core Node for librustzcash), the bounty total alone is in the $100K+, meaningfully more than what a one-month continuation grant for the same farm would cost.
So the practical question for ZCG is whether funding a complementary monthly proposal here (continued operation plus the differential lwd↔zebra↔zaino oracle and a gRPC service-layer
harness) would actually be the more efficient spend than paying per-finding indefinitely, and the precondition for proposing that is knowing which of the three models above applies.