At Zero Hash, we take the security of our systems and the protection of our users’ assets very seriously.
We are committed to maintaining the cryptocurrency industry’s highest security and privacy standards. To achieve this, we have established a vulnerability disclosure program to encourage security researchers and ethical hackers to help us identify and address potential security vulnerabilities on our platforms.
To ensure fairness and relevance in our vulnerability disclosure program, both the researcher and the reported vulnerability must meet specific criteria:
- New Discoveries: Vulnerabilities must be previously undiscovered issues.
- Researcher Eligibility: Researchers must be at least 18 years of age and not reside in a country under United States sanctions.
- No Affiliation: Researchers must not be current or former employees of Zero Hash LLC, its partners, or affiliates. Additionally, they should have no prior affiliation with the code in question.
Zero Hash defines the following as in-scope targets for vulnerability submissions:
- Zero Hash LLC Website
- Zero Hash LLC Web Applications
The following targets are considered out-of-scope for this program:
- Third-party services or applications not owned or operated by Zero Hash LLC.
- Non-production environments
- Any assets or services unrelated to Zero Hash LLC
Rules of Engagement
Researchers participating in our vulnerability disclosure program should adhere to the following rules:
- Detailed Reporting: Use our submission form provided by Bugcrowd to provide comprehensive details of the potential vulnerability, including steps to reproduce it.
- Security Threats: Vulnerabilities must pose a legitimate security threat to be eligible for submission.
- Confidentiality: Do not publicly disclose or share vulnerabilities with third parties. This includes not sharing them on public forums or social media platforms.
- No Malicious Actions: Do not engage in post-exploitation actions, data modification, or disruption of Zero Hash LLC’s services.
- No Unauthorized Testing: Do not attempt brute-force attacks, denial-of-service attacks, or testing of accounts that do not belong to you.
- No Targeting of Employees or Customers: Do not attempt to target Zero Hash employees and customers or engage in any form of social engineering, phishing, or physical attacks.
- No Attacks on Physical Facilities: Do not perform physical attacks against Zero Hash facilities or assets.
- No Automated Scanners/Tools: Avoid using automated scanning tools.
We consider the following vulnerabilities as eligible for submission:
- Remote code execution
- SQL injection
- Cross-Site Scripting (XSS)
- Server-side request forgery
- Directory traversal
- Bugs in the implementation of the cryptographic primitives
- Remote Code Execution on any node and the reference wallet implementation
- Unauthorized movement of funds,
- Access to keys
- Transaction spoofing
- KYC Spoofing
- Authentication/authorization bypass
- Privilege escalation
- Insecure direct object reference
- CORS misconfigurations
- CRLF injection
- Cross-Site Request Forgery (CSRF)
- Open redirect
- Information disclosure
- Request smuggling
- Mixed content
The following are examples of vulnerabilities that are not eligible for submission:
- Best practices violations
- Social engineering or phishing attacks
- Issues with low-impact
- Content spoofing
- Stack traces, path disclosure, directory listings
- SSL/TLS best practices
- Banner grabbing
- CSV injection
- Google Dorking
- Reflected file download
- Reports on out-of-date browsers
- Denial-of-Service (DoS) attacks
- User enumeration
- Password complexity issues
- HTTP trace method issues
- DMARC, Clickjacking, SPF records
- Insufficient anti-automation