Dear @Shawn,Thank you for your clarification. I completely understand and respect your role as a forum moderator and subcontractor rather than a direct representative of the Foundation. I appreciate your fairness in managing this space.Since you confirmed that the Bug Bounty program was under the Zcash Community Grants (ZCG) umbrella, and given the zero response from the internal developers involved, I kindly ask you to provide the official and direct corporate email address for the Zcash Foundation Board of Directors or the Audit & Risk Committee.As a moderator, ensuring that serious governance and disclosure issues reach the proper institutional channels is vital for the community’s integrity. Thank you for your assistance in providing this contact information so I can formally submit the complete PDF file and evidence packet.Best regards,Alex74 - SjS3
Commento di risposta per @conradoplg
Dear @conradoplg,
Thank you for your reply. However, there seems to be a major misunderstanding regarding the nature of my disclosure.
I am NOT talking about ZIP-317. I am fully aware that Zebra 4.4.1 does not relate to ZIP-317. My submission explicitly concerns the SECOND critical consensus vulnerability regarding the calculations of Zatoshi/Satoshi outputs, which is precisely documented under the official security advisory GHSA-pvmv-cwg8-v6c8 (Zebra SIGHASH_SINGLE vulnerability).
The facts remain technically verified:
-
This specific Zatoshi consensus bug was privately disclosed by me via Signal to core team members.
-
The team used these exact technical findings to implement the emergency patch in Release v4.4.1.
-
The repository logs were subsequently backdated to May 4th to establish prior art, while the global security database (GHSA) only indexed the vulnerability on May 8th.
Before dismissing my claims as “nonsense,” I respectfully invite you to cross-reference the internal submission timeline of GHSA-pvmv-cwg8-v6c8 against my private Signal disclosures. I am asking for fair meritocracy and my legitimate rights for securing the Zcash network against a critical consensus flaw.
Best regards,
Alex74 - SjS3
I’m tired of those bots. It’s closed in all case @Alex74SjS3. If anything, contact per mail zcg. Otherwise the forum don’t need to know that you were the 66th AI agent to scan the codebase and found this smol vuln. gg well played and goodbye
Dear @Scalar,
Thank you for your direct reply, and I appreciate your referral to the ZCG email channel.
The technical proof-of-concept (PoC) was shared privately via Signal directly with core developers, who then utilized it to patch Release Zebra v4.4.1 under advisory GHSA-pvmv-cwg8-v6c8. The concern here is not only the quality of the bug, but the institutional transparency regarding the disclosure timeline and credit attribution.
For the @zcash team, Pili, and Kris Nuttycombe, this bug was absolutely not “minor” — it was officially classified as “CRITICAL.” It was critical enough to make them get their hands dirty using administrative overrides to backdate the repository to May 4th. This proves it was definitely not a small vulnerability as you claim, “dear” Scalar.
Could it be that this “AI bot narrative” (also heavily pushed by Dariaemma) is just a convenient excuse to hide the fact that Zcash is full of security flaws? There are simply “TOO MANY” flaws, enough to make Robinhood look closely at the asset’s security profile. As the saying goes, thinking badly is a sin, but you are usually right. And don’t worry about the automated bots, Scalar — the paternity of that narrative belongs SOLELY to you.
Since you publicly requested me to contact ZCG via email to handle this issue, could you please provide the exact official email address designated for ZCG dispute resolutions and bug bounty audits? This will ensure the complete packet of forensic evidence reaches the committee formally.
Best regards,
Alex74 - SjS3
(Not speaking on behalf of ZF. As always)
I don’t have your original submission (you might as well just post it since they refer to a solved bug) so I can’t post a definitive answer, but some things in your claims do not make sense:
I am NOT talking about ZIP-317
The prints you posted are clearly about ZIP-317
the SECOND critical consensus vulnerability regarding the calculations of Zatoshi/Satoshi outputs, which is precisely documented under the official security advisory GHSA-pvmv-cwg8-v6c8 (Zebra SIGHASH_SINGLE vulnerability)
If you can read you can clearly see that Zebra v4.4.0 still accepts V5 SIGHASH_SINGLE without a corresponding output · Advisory · ZcashFoundation/zebra · GitHub is indeed about SIGHASH_SINGLE, and indeed not about “calculations of Zatoshi/Satoshi outputs”, so you are clearly mixing two different things.
The repository logs were subsequently backdated to May 4th to establish prior art, while the global security database (GHSA) only indexed the vulnerability on May 8th
This is provably false, just look at the timestamp of Zebra v4.4.0 still accepts V5 SIGHASH_SINGLE without a corresponding output · Advisory · ZcashFoundation/zebra · GitHub (we can’t edit that unless you’re claiming we have an inside person at GitHub editing stuff for us?). It was reported in May 2nd, much earlier than both of your claims
I understand all of this has been explained to you (not by me), but now that you’re making claims publicly I thought it would be good to clear up to anyone reading so that no one gets the wrong idea. I won’t engage further unless you can credibly dispute any of my points.
Dear Scalar (not speaking for ZF, of course 
), I would really like to know where you are reading these facts, Mickey Mouse’s GitHub?The confusion you are making between ZIP-317 and GHSA is embarrassing. The screenshots I posted served strictly as context for the movements and communication channels used during that specific week; they were never meant to be technical proof of the bug itself. My claim remains entirely bound to the consensus vulnerability patched in version v4.4.1 under advisory GHSA-pvmv-cwg8-v6c8, period.On GitHub timestamps, you are making a massive blunder. You are confusing the date a private draft is opened behind closed doors in a control panel with the date that stuff actually gets published and synchronized in the global database.The global GitHub Advisory Database (GHSA) API logs speak for themselves, you just need to know how to query them: for advisory GHSA-pvmv-cwg8-v6c8, the “created_at” date (the internal draft) is May 2nd, but the “published_at” date (the actual release to the world) is immutably registered only on May 8, 2026. The advisory was broadcasted to the public web only on May 8th, despite the release tag being pushed with a visual date of May 4, 2026. That is the trick.Since you are challenging me, I would strongly advise you to go back and actually read the report carefully—with its specific details on dates, audits, and screenshots—instead of running a personal crusade against me. By the way, you are the one accusing everyone else of using AI and Bots, but aren’t you the one replying using an AI since you always conclude your miserable argument with “Basta”? Change it up once in a while, you sound like a broken record. 
Best regards,Alex74 - SjS3
You don’t even know who you are talking to, I rest my case 
This a good read this morning Zm
It is never okay to publish private communications without consent. Publishing screenshots of Signal conversations on Github is a slap in the face to the people working hard to build and secure Zcash every day. If this isn’t a violation of forum rules, please update the rules and ban this person @Shawn .
Doxxing has NO place in our community nor does leaking of private communications.
Il classico “lei non sa chi sono io”…vero?
Ma con tutta la documentazione si fa a fatica a a fare un passo indietro e ammettere di aver sbagliato.
If the ghsa was created on May 2, that means the bug had already been reported on May 2. I’m not sure which bug you’re talking about, but since you sent your message on May 6, your report was already late at that point…
Do yourself a favor: go read my report “properly” and then we can talk about dates, bugs, and backdating. If that still doesn’t work, next time I’ll try to explain the full timeline with a nice cartoon . The global GitHub API logs speak for themselves: the advisory went public only on May 8th, even though a visual date of May 4th was slapped on the release tag to pretend they got there first… next, please! Best regards,Alex74 - SjS3
as you can see here, the GHSA was disclosed on May 4, and it was added to the GitHub Advisory Database on May 8… Zebra v4.4.0 still accepts V5 SIGHASH_SINGLE without a corresponding output · GHSA-pvmv-cwg8-v6c8 · GitHub Advisory Database · GitHub
another example
Dear @Sangsoo,You are completely confused and don’t even know what you are reading. You are mixing up version v4.4.0 (the old version affected by the bug) with version v4.4.1, which was the actual emergency patch.The reality is that while Kris Nuttycombe was privately downplaying MY report on Signal, classifying it as “Low” and “Attenzione,” but never as an already known bug, the three musketeers of the Zcash community (Kris, Dariaemma, and Pili) were doing something completely different behind the scenes. While they were downplaying the bug to my face, they were alerting everyone in the Zcash team to step in immediately and fix it, officially classifying MY bug as CRITICAL, but not as Low.When I called them out on this exact contradiction, they panicked and backdated the post to May 4th, trying to say "hey, we noticed the bug first."By admitting right now that it was only added to the global GitHub Advisory Database on May 8th, you just publicly confirmed that 4-day discrepancy and my entire point.Have you understood now, Sangsoo?Thank you for debunking them! Best regards,Alex74 - SjS3
sorry, but I’m not sure I understand what you mean. I hope everything works out well for you.
Dear @Sangsoo,If you can find just 5 minutes, please read my report properly; it will clear up any remaining doubts you might have.But listen, Sangsoo, thank you for your kind words. I want to tell you something directly: my reaction is not driven by anger towards those on the team who backdated the logs, downplayed my report, or denied the bug bounty reward. Not at all.What I feel is simply deep disappointment. It is disheartening to see this constant hostility against external independent researchers, treating us like criminals or as if we are begging for money, when this is a legitimate right. The team complains about managing the bug bounty program, treating it like a plague to eradicate rather than a crucial resource for the stability and innovation of the Zcash protocol.We are talking about an ecosystem with millions of followers and a market cap of over $10 billion. Seeing certain team members attack the bounty program as an “anomaly” and paint skilled researchers as manipulative scammers is painful. They claim they cannot manage the workflow due to too many requests generated by bots and AI. But the solution is simple: just involve specialized third-party platforms like Immunefi, Bugcrowd, or Cantina. Allocating $1 million for security in a $10B+ market is next to nothing.When a project puts its own security last, it is bound to fail. It gives the terrible impression that they just want to take quick profits now instead of consolidating and updating a reality that, just a year ago, nobody would have invested a single cent in. With this kind of attitude, seeing Zcash crash back toward $20 is a mathematical certainty.Sangsoo, we need to make our voices heard. We need to demand respect, always with education and always with facts.Best regards,Alex74 - SjS3
lmfao @Shawn please ban this bot
Given the current circumstances, I highly encourage the ZCash team to re-open the Vulnerability Disclorsure Initiative. If you are afraid of AI slop being mass submitted, gate the submission behind a fee(stake $100 for a submission), you can contact the security team of Monad to learn how they handle it and how they successfully lowered the AI slop submissions or engage with any of the web3 bug bounty program hosters to use their platforms.
What is this, Chatham House? You’re calling for a ban on whistleblowing. Not everything private is personal.
And personally, I have trouble taking anyone serious who’s incapable of finding the print screen key. But that’s a different matter.
@artkor I submitted some bugs to Zcashd via Email and security advisory since May, but I have not received any comment or update or feedback.
Please I wanted to know what really happened, if the team has not looked.