Zcash Security Program

Protect Privacy.Earn ZEC.

Find vulnerabilities in Zcash privacy-critical infrastructure.
OWASP Risk Rating · Coordinated disclosure · Shielded Z-address required.

Max Reward

Response SLA

Embargo

Status

Why This Program

The Case For This Program

Turns luck into structure.

In March 2026, a critical bug was found and fixed in 3 days with no exploitation. It worked — because one person happened to have good character. This program makes sure the next time doesn't depend on luck.

A Formal Channel Exists Now

Before this, responsible disclosure depended entirely on individual goodwill. Serious security researchers need an address to go to when they find something. Now one exists — with clear rules, a guaranteed reward, and a 5-day response SLA.

Breaks the Bad-Timing Cycle

The Zcash community knows the pattern: the market shows interest, then a vulnerability headline appears. An active bounty program changes who finds bugs first — researchers who want to be paid to help, not exploits leaking at the worst possible moment.

Solves the PR Problem

Uncoordinated disclosure on social media turns "25k ZEC at risk in a deprecated pool" into "ZCASH VULNERABLE." This program creates an alternative: a formal path that pays well, moves fast, and coordinates public announcements with proper technical context — not Twitter’s algorithm.

Credibility Infrastructure

Every bug found and resolved here is verifiable proof that the ecosystem works. This is the same standard that makes the world trust OpenSSL and the Linux kernel. Bug bounty programs are not admissions of weakness — they are how serious protocols are maintained.

AI-Assisted Research Is Here

Scalar found the Sprout bug with AI. That capability is democratizing fast. Hundreds of researchers with automated analysis tools will scan public protocols in the next 12–24 months. This program defines the incentive for what happens when they find something.

Multi-Org Accountability

No single organization controls severity classification or disclosure timing. The multi-org triage model prevents both downplaying and sensationalizing — the two failure modes that destroy community trust.

Hall of Fame · First Case

Sprout Pool Vulnerability— March 2026

The first officially recognized bounty. AI-assisted discovery, responsible private disclosure, 3-day coordinated patch across all major mining pools. Proof the system works.

Alex "Scalar" Sol

CriticalAI-Assisted DiscoveryMar 23, 2026

Scalar identified a critical vulnerability in zcashd v3.1.0 through v6.11.x— nodes were silently skipping Sprout proof verification when connecting new blocks to the chain. The bug had existed for nearly 6 years, introduced by a fCheckedflag optimization inherited from Bitcoin Core that interacted incorrectly with Zcash's two-pass validation logic. Scalar did not request a bounty or mention money. With assistance from David Burkett (Litecoin MWEB Developer) on responsible disclosure, the report reached Shielded Labs privately with zero public exposure.

A malicious miner could have exploited this to drain the approximately 25,424 ZECheld in the deprecated Sprout pool. Zcash's turnstile mechanism would have prevented any supply inflation, and user privacy was never at risk — but funds were exposed. Patch authored by Jack Grigg (str4d), reviewed by Daira-Emma Hopwood and Kris Nuttycombe(ZODL). Deployed across all major mining pools — Luxor, F2Pool, AntPool, ViaBTC— within 72 hours of disclosure.

Zebra, the Zcash Foundation's full node implementation, was never affected. Had exploitation been attempted, Zebra would have triggered a detectable chain fork — a critical layer of defense that worked exactly as designed. Shielded Labs, ZODL, Zcash Foundation, and Bootstrap each awarded 50 ZEC in gratitude for protecting Zcash users.

Disclosure Timeline

Jul 2020Bug silently introduced in zcashd v3.1.0 — fChecked flag optimization causes Sprout proof verification to be skipped during block connection.
Jun 2023Zebra 1.0.0 goes live on mainnet, correctly verifying all transactions — becoming a critical safety net.
Mar 23Scalar privately reports the vulnerability to Shielded Labs. No public disclosure, no mention of reward.
Mar 24Shielded Labs convenes with ZODL engineers. Patch authored by str4d, reviewed by Daira-Emma Hopwood and Kris Nuttycombe. ViaBTC, Luxor, F2Pool contacted.
Mar 25–26All 4 major pools (ViaBTC, Luxor, F2Pool, AntPool) confirm patch deployment. Zero exploitation window.
Mar 31zcashd v6.12.0 released publicly. Coordinated disclosure posted by Zooko on Zcash Community Forum.

Total Reward

$30K USD

$7.5K each org

Contributed by

Shielded LabsZODLZcash FoundationBootstrap

Full report on Forum ↗

Community response · Zcash Forum

“I get the feeling that Zcash has a thousand unexpected surprises up its sleeve, which pop up every time the market starts showing interest in it... noble people simply cannot help but disclose this information if it actually happened. On the other hand, there will always be people who will exploit this information to spoil our mood... by the time this information passes through three people, it will be so distorted that no sane investor will want to get involved.”
— Community member, Zcash Forum

26 likes · 144 views→ Read the full thread

Program launched March 2026 — submit a valid report to join the Hall of Fame.

Reward Tiers

Payout Structure

All rewards paid in ZEC to a shielded Orchard address. Amounts scored using the OWASP Risk Rating Methodology. Maximum reward: $30,000 USD in ZEC for critical findings, contributed jointly by 4 participating organizations.

Critical

up to $30,000 in ZEC

RCE, consensus failure, catastrophic privacy breach, shielded pool drain, or ZKP forgery. Full-chain threat with maximum impact and high exploitability.

Likelihood 7–9Impact 7–9OWASP CRITICAL

High

up to $15,000 in ZEC

Significant privacy or security vulnerability with broad impact. Orchard/Sapling protocol issues or wallet key exposure under exploitable conditions.

Likelihood 5–7Impact 5–7OWASP HIGH

Medium

up to $5,000 in ZEC

Limited privacy impact, DoS, or transaction malleability that doesn’t break consensus. Partial anonymity set reduction.

Likelihood 3–5Impact 3–5OWASP MEDIUM

Low

up to $1,500 in ZEC

Minor issues with negligible security impact. Best-practice violations or informational disclosures with very limited attack surface.

Likelihood 1–3Impact 1–3OWASP LOW

Note

up to $500 in ZEC

Informational findings, best-practice suggestions, or hardening recommendations with no direct security impact.

Likelihood 0–1Impact 0–1OWASP NOTE

Scoring Framework

OWASP Risk Rating Methodology

Every submission is scored on two axes — Likelihood and Impact — each from 0 to 9. The product determines severity and reward tier.

Risk Score = Likelihood (0–9) × Impact (0–9)

Likelihood — Threat Agent

Skill Level0–9
Motive0–9
Opportunity0–9
Size of group0–9

Likelihood — Vulnerability

Ease of Discovery0–9
Ease of Exploit0–9
Awareness0–9
Intrusion Detection0–9

Impact — Technical

Loss of Confidentiality0–9
Loss of Integrity0–9
Loss of Availability0–9
Loss of Accountability0–9

Impact — Business

Financial Damage0–9
Reputation Damage0–9
Non-Compliance0–9
Privacy Violation0–9

Severity Matrix — Likelihood (rows) × Impact (columns)

	⬡ IMPACT
◈ LIKELIHOOD	LOW (0–3)	MEDIUM (3–6)	HIGH (6–9)
HIGH (6–9)	MEDIUM	HIGH	CRITICAL
MEDIUM (3–6)	LOW	MEDIUM	HIGH
LOW (0–3)	NOTE	LOW	MEDIUM

Legend:NOTE — up to $500LOW — up to $1.5KMEDIUM — up to $5KHIGH — up to $15KCRITICAL — up to $30K

Real Example — Scalar's Sprout Bug (Mar 2026)

Ease of Exploit: 3·Intrusion Detection: 8·Loss of Integrity: 7·Financial Damage: 7→CRITICAL · up to $30K USD in ZEC

→ owasp.org/www-community/OWASP_Risk_Rating_Methodology

Coordinated Disclosure

Responsible Disclosure Policy

Noble disclosure requires controlled timing. Premature publication helps attackers, not users. We provide a structured path that protects both the researcher and the ecosystem.

PRINCIPLE_01

90-Day Coordinated Embargo

We coordinate with the reporter on a joint disclosure timeline — typically 90 days after triage. Infrastructure gets patched before any public statement. The Sprout case went from report to full patch deployment in 8 days — a model for how this works in practice.

Day 0Private report received → acknowledged within 24h

Day 5Triage complete, OWASP severity assigned

Day 30Patch developed and reviewed

Day 60Deployed across critical infrastructure

Day 90Coordinated public disclosure with full context

PRINCIPLE_02

Controlled Public Communication

A “25k ZEC at risk in deprecated pool” headline becomes “ZCASH VULNERABLE MILLIONS AT RISK” by the third repost. We issue technical advisories through official Zcash channels with full context — not social media first. The goal is accuracy, not virality.

PRINCIPLE_03

Multi-Org Triage Panel

All critical reports are reviewed by a multi-organization triage panel. No single party has unilateral authority over severity scoring or disclosure timing. This prevents both downplaying and sensationalizing.

PRINCIPLE_04

Reporter Privacy Protected

Researcher identity is never disclosed without explicit consent. We do not publish vulnerability details prior to the agreed disclosure date, regardless of external pressure.

Updates

Latest News

Security advisories and program updates.

2026-04-08

NEW1 ZEC paid to Kenbak for disclosing missing DMARC/SPF/MX on bountyzcash.org. → Hall of Fame

2026-03-31

NEWzcashd v6.12.0 released — patches Sprout proof verification bypass (zcashd v3.1.0–v6.11.x). Reported by Alex “Scalar” Sol. → Full case study · → Zcash Forum

Guidelines

Program Rules

Follow responsible disclosure practices. Violations may disqualify your submission. AI-assisted discovery is explicitly welcome.

RULE_01

Responsible Disclosure

Do not disclose vulnerability details publicly until the 90-day embargo expires. Coordinate on timeline with the multi-org triage panel.

RULE_02

No Exploitation

Do not exploit vulnerabilities beyond what’s necessary to demonstrate impact. Never access, modify, or exfiltrate production user data.

RULE_03

Good Faith Testing

Limit testing to your own accounts and isolated environments. Avoid actions that could affect availability or integrity of services for others.

RULE_04

First Submission Wins

Only the first valid report for a given vulnerability receives the reward. Partial credit may be granted for simultaneous independent discovery.

RULE_05

ZEC Payment Only

All rewards paid in ZEC to a valid Zcash Orchard Z-address (unified preferred). T-addresses not accepted. Reward amounts in ZEC at time of payout.

RULE_06

No Automated Scanning of Mainnet

Automated scanners against mainnet infrastructure are prohibited. Rate-limiting abuse, DoS, and brute-force attacks are strictly out of bounds.

Report Submission

Submit a Vulnerability

Reviewed within 5 business days. AI-assisted discovery explicitly welcome.

Crosslink Scope Alert

No Bounty

Crosslink repositories are out of scope.

Prototype / testnet only. No Crosslink repository qualifies for bug bounty rewards.

No payouts are issued for Crosslink bugs.

Zcash Foundation / Zebra

If your report is for Zcash Foundation infrastructure or Zebra, do not use this form. Please open a private security advisory issue instead.

Open private advisory issue ↗