Chiming in here, it feels strange to pay nothing for previous security issues. As an outsider, it seems the program was launched in response to the recent rise in reports, and arbitrarily excluding past reports seems to achieve the wrong result
It’s not realistic to pay for all known/solved security issues in Zcash. Thats literally 10 years of upgrades. How far back would we go? Back to old Bitcoin core issues that the Zcash teams pulled in for Zcashd 1.0? The funds would already be gone day one of this new program if that was the case.
It’s not arbitrary it’s a new program paying for new issues from here foward, simple as that.
3 Likes
I understand that we can’t pay bounties for every bug. what seems strange to me, though, is the decision not to pay bounties for the reports that led to the launch of this program
then, why did Alex’s second disclosure get paid out, but the critical ones after that didn’t?
(Not speaking on behalf of ZF.)
I think it is unfair to disqualify the people that discovered the higher impact issues that have been just fixed. The program was created because of those reports, that’s the whole point of it.
Of course it shouldn’t apply infinitely retroactively, but there is a very clear boundary between older reports that I think should not qualify and the recent wave of reports that I think should qualify.
6 Likes
Thank you @conradoplg for speaking up. I’ve been thinking the same thing. @ZCG folks and ZF, could we please reconsider at least the findings that were officially disclosed through GitHub Security Advisories? I don’t think any of us expect a $150,000 payout for the critical severity issues that were submitted, but it would be great to receive some level of compensation for the time and effort that went into identifying and reporting them.
In my case, I spent around 4 to 5 days validating and refining a single report. I’m sure others invested a significant amount of time into their submissions as well.
Thank you!
3 Likes
A $1M bug bounty materially changes the security economics around ZEC. I can imagine a standing incentive for independent guys to scrutinise consensus code, cryptography, wallet infra, etc.
I love this, excellent work by ZCG and everyone involved.
I think as well the latest high/critical vulnerabilities of others folks disclosure should be awarded.
I honestly don’t think this current bug bounty program are aligned with the real economic incentives or systemic risk involved.
For vulnerabilities with potentially devastating impact, the priority should be to maximize the chance that they are responsibly disclosed if they ever exist. For Zcash specifically, I think there should be a dedicated top-tier bounty category for silent inflation bugs, in the $2–3M range. Same for detectable inflation bugs, they should also have a dedicated bounty, with rewards in the $500k–$1.5M range depending on impact and exploitability.
Those are an existential threat to Zcash if ever exploited with hundreds of millions of dollars in damage.
A good benchmark of the crypto ecosystem standards is Immunefi’s list, sorted by maximum bounty: Bug Bounty Programs: Most Rewarding web3 Bug Bounties of 2026 | Immunefi
2 Likes
Good initiative, but I reported a valid vulnerability to Zcash Core Repository that was confirmed and accepted. However, the severity was later downgraded after maintainers introduced their own internal severity criteria following my report, which does not appear to align with BountyZcash’s website, specifically the statement:
“Multi-Org Accountability — No single organization controls severity classification or disclosure timing. The multi-org triage model prevents both downplaying and sensationalizing — the two failure modes that destroy community trust.”
For reference, see the discussion at zcash github: #7168
At this point, I’m trying to understand the next steps. Will someone from ZCG join the advisory process, independently review the issue, coordinate disclosure, and pay the bounty reward?
I’m asking because I also received the following response from nuttycom (Kris Nuttycombe) :
"Ouicate you need to take this up with Zcash Community Grants; to the best of my knowledge, no such independent review panel actually exists; nobody from ZODL has been asked to join such a panel, at least.
You need to understand that neither ZCG’s rubric, nor the bounty schedule, nor the role of the employees of the various Zcash support organizations were discussed with the maintainers prior to the announcement of the program. I understand that you’re seeking compensation under the bounty program, but that bounty program is not in any fashion my responsibility. If the maintainers’ severity judgments were supposed to be taken into account by Zcash Community Grants in their decision to award bounties, then they needed to discuss that with us beforehand."
The current situation is confusing because the public bounty policy suggests independent multi-party accountability, while the actual handling of the report appears to depend entirely on maintainers’ internal decisions. Clarification on the review process, severity determination, and bounty governance would be appreciated. @ZCG @zooko
2 Likes
For issues like mine that were found and submitted in respect to this initiative, how would the bounty be resolved because according to the maintainers when asked for the next step for the bounty after my bug was accepted and confirmed
To put it bluntly, no. The maintainers never signed up for this duty and were not consulted before ZCG made that post; the ZCG announcement foisted this on us and we are not doing it. If you want money from the bounty program, you have to seek it from them. This is not the maintainers’ problem; we have far too much actual work to do supporting Zcash.
So this is me reaching out to ZCG in respect to that
1 Like
Yeah, inflation bugs are severe enough, specific enough, and hopefully rare enough, that these higher awards are warranted.
2 Likes