Zcash Security Program

Protect Privacy.Earn ZEC.

Find vulnerabilities in Zcash privacy-critical infrastructure.
ZCG Payout Matrix · Coordinated disclosure · Shielded Z-address required.

Max Reward

Response SLA

Embargo

Status

Why This Program

The Case For This Program

Turns luck into structure.

In March 2026, a critical bug was found and fixed in 3 days with no exploitation. It worked — because one person happened to have good character. This program makes sure the next time doesn't depend on luck.

A Formal Channel Exists Now

Before this, responsible disclosure depended entirely on individual goodwill. Serious security researchers need an address to go to when they find something. Now one exists — with clear rules, a guaranteed reward, and a 5-day response SLA.

Breaks the Bad-Timing Cycle

The Zcash community knows the pattern: the market shows interest, then a vulnerability headline appears. An active bounty program changes who finds bugs first — researchers who want to be paid to help, not exploits leaking at the worst possible moment.

Solves the PR Problem

Uncoordinated disclosure on social media turns "25k ZEC at risk in a deprecated pool" into "ZCASH VULNERABLE." This program creates an alternative: a formal path that pays well, moves fast, and coordinates public announcements with proper technical context — not Twitter’s algorithm.

Credibility Infrastructure

Every bug found and resolved here is verifiable proof that the ecosystem works. This is the same standard that makes the world trust OpenSSL and the Linux kernel. Bug bounty programs are not admissions of weakness — they are how serious protocols are maintained.

AI-Assisted Research Is Here

Scalar found the Sprout bug with AI. That capability is democratizing fast. Hundreds of researchers with automated analysis tools will scan public protocols in the next 12–24 months. This program defines the incentive for what happens when they find something.

Multi-Org Accountability

No single organization controls severity classification or disclosure timing. The multi-org triage model prevents both downplaying and sensationalizing — the two failure modes that destroy community trust.

Hall of Fame · First Case

Sprout Pool Vulnerability— March 2026

The first officially recognized bounty. AI-assisted discovery, responsible private disclosure, 3-day coordinated patch across all major mining pools. Proof the system works.

Alex "Scalar" Sol

CriticalAI-Assisted DiscoveryMar 23, 2026

Scalar identified a critical vulnerability in zcashd v3.1.0 through v6.11.x— nodes were silently skipping Sprout proof verification when connecting new blocks to the chain. The bug had existed for nearly 6 years, introduced by a fCheckedflag optimization inherited from Bitcoin Core that interacted incorrectly with Zcash's two-pass validation logic. Scalar did not request a bounty or mention money. With assistance from David Burkett (Litecoin MWEB Developer) on responsible disclosure, the report reached Shielded Labs privately with zero public exposure.

A malicious miner could have exploited this to drain the approximately 25,424 ZECheld in the deprecated Sprout pool. Zcash's turnstile mechanism would have prevented any supply inflation, and user privacy was never at risk — but funds were exposed. Patch authored by Jack Grigg (str4d), reviewed by Daira-Emma Hopwood and Kris Nuttycombe(ZODL). Deployed across all major mining pools — Luxor, F2Pool, AntPool, ViaBTC— within 72 hours of disclosure.

Zebra, the Zcash Foundation's full node implementation, was never affected. Had exploitation been attempted, Zebra would have triggered a detectable chain fork — a critical layer of defense that worked exactly as designed. Shielded Labs, ZODL, Zcash Foundation, and Bootstrap each awarded 50 ZEC in gratitude for protecting Zcash users.

Disclosure Timeline

Jul 2020Bug silently introduced in zcashd v3.1.0 — fChecked flag optimization causes Sprout proof verification to be skipped during block connection.
Jun 2023Zebra 1.0.0 goes live on mainnet, correctly verifying all transactions — becoming a critical safety net.
Mar 23Scalar privately reports the vulnerability to Shielded Labs. No public disclosure, no mention of reward.
Mar 24Shielded Labs convenes with ZODL engineers. Patch authored by str4d, reviewed by Daira-Emma Hopwood and Kris Nuttycombe. ViaBTC, Luxor, F2Pool contacted.
Mar 25–26All 4 major pools (ViaBTC, Luxor, F2Pool, AntPool) confirm patch deployment. Zero exploitation window.
Mar 31zcashd v6.12.0 released publicly. Coordinated disclosure posted by Zooko on Zcash Community Forum.

Total Reward

$30K USD

$7.5K each org

Contributed by

Shielded LabsZODLZcash FoundationBootstrap

Full report on Forum ↗

Community response · Zcash Forum

“I get the feeling that Zcash has a thousand unexpected surprises up its sleeve, which pop up every time the market starts showing interest in it... noble people simply cannot help but disclose this information if it actually happened. On the other hand, there will always be people who will exploit this information to spoil our mood... by the time this information passes through three people, it will be so distorted that no sane investor will want to get involved.”
— Community member, Zcash Forum

26 likes · 144 views→ Read the full thread

Program launched March 2026 — submit a valid report to join the Hall of Fame.

Reward Tiers

Payout Structure

All rewards paid in ZEC to a shielded Orchard address. Amounts follow the official ZCG Payout Matrix (Core Node, Supporting Infrastructure, Developer Tooling). Maximum reward: $225,000 USD in ZEC for Core Node Critical findings — see the full matrix below.

Critical

up to $225,000 USD in ZEC

Core Node only. RCE, consensus failure, catastrophic privacy breach, shielded pool drain, or ZKP forgery. Base $150,000 + bonus up to $75,000.

Core Node onlyBase $150,000Bonus up to $75,000

High

up to $112,500 USD in ZEC

Significant privacy or security vulnerability with broad impact. Orchard/Sapling protocol issues or wallet key exposure under exploitable conditions.

All categoriesBase $18,750–$75,000Max up to $112,500

Medium

up to $56,250 USD in ZEC

Limited privacy impact, DoS, or transaction malleability that doesn’t break consensus. Partial anonymity set reduction.

All categoriesBase $9,375–$37,500Max up to $56,250

Low

up to $28,125 USD in ZEC

Minor issues with negligible security impact. Best-practice violations or informational disclosures with very limited attack surface.

All categoriesBase $4,687–$18,750Max up to $28,125

Scoring Framework

ZCG Payout Matrix

Official Zcash Community Grants payout schedule. Rewards depend on the project category (Core Node, Supporting Infrastructure, Developer Tooling) and severity. Each tier pays a base amount plus a bonus determined by report quality.

Maximum total = Base payout + Bonus (up to)

Core NodeConsensus-critical implementations: zcashd, Zebra, librustzcash.

Severity	Base payout	Bonus (up to)	Maximum total
Critical	$150,000	$75,000	$225,000
High	$75,000	$37,500	$112,500
Medium	$37,500	$18,750	$56,250
Low	$18,750	$9,375	$28,125

Supporting InfrastructureWallets, light clients, indexers: Zallet, Zaino, lightwalletd.

Severity	Base payout	Bonus (up to)	Maximum total
High	$37,500	$18,750	$56,250
Medium	$18,750	$9,375	$28,125
Low	$9,375	$4,687	$14,062

Developer ToolingBuild, debug, and test tooling: zcash-devtool, ancillary libraries.

Severity	Base payout	Bonus (up to)	Maximum total
High	$18,750	$9,375	$28,125
Medium	$9,375	$4,687	$14,062
Low	$4,687	$2,343	$7,030

Severity legend:LOWMEDIUMHIGHCRITICAL

→ ZCG Security & Vulnerability Disclosure Initiative

Coordinated Disclosure

Responsible Disclosure Policy

Noble disclosure requires controlled timing. Premature publication helps attackers, not users. We provide a structured path that protects both the researcher and the ecosystem.

PRINCIPLE_01

90-Day Coordinated Embargo

We coordinate with the reporter on a joint disclosure timeline — typically 90 days after triage. Infrastructure gets patched before any public statement. The Sprout case went from report to full patch deployment in 8 days — a model for how this works in practice.

Day 0Private report received → acknowledged within 24h

Day 5Triage complete, ZCG severity assigned

Day 30Patch developed and reviewed

Day 60Deployed across critical infrastructure

Day 90Coordinated public disclosure with full context

PRINCIPLE_02

Controlled Public Communication

A “25k ZEC at risk in deprecated pool” headline becomes “ZCASH VULNERABLE MILLIONS AT RISK” by the third repost. We issue technical advisories through official Zcash channels with full context — not social media first. The goal is accuracy, not virality.

PRINCIPLE_03

Multi-Org Triage Panel

All critical reports are reviewed by a multi-organization triage panel. No single party has unilateral authority over severity scoring or disclosure timing. This prevents both downplaying and sensationalizing.

PRINCIPLE_04

Reporter Privacy Protected

Researcher identity is never disclosed without explicit consent. We do not publish vulnerability details prior to the agreed disclosure date, regardless of external pressure.

Updates

Latest News

Security advisories and program updates.

2026-04-08

NEW1 ZEC paid to Kenbak for disclosing missing DMARC/SPF/MX on bountyzcash.org. → Hall of Fame

2026-03-31

NEWzcashd v6.12.0 released — patches Sprout proof verification bypass (zcashd v3.1.0–v6.11.x). Reported by Alex “Scalar” Sol. → Full case study · → Zcash Forum

Guidelines

Program Rules

Follow responsible disclosure practices. Violations may disqualify your submission. AI-assisted discovery is explicitly welcome.

RULE_01

Responsible Disclosure

Do not disclose vulnerability details publicly until the 90-day embargo expires. Coordinate on timeline with the multi-org triage panel.

RULE_02

No Exploitation

Do not exploit vulnerabilities beyond what’s necessary to demonstrate impact. Never access, modify, or exfiltrate production user data.

RULE_03

Good Faith Testing

Limit testing to your own accounts and isolated environments. Avoid actions that could affect availability or integrity of services for others.

RULE_04

First Submission Wins

Only the first valid report for a given vulnerability receives the reward. Partial credit may be granted for simultaneous independent discovery.

RULE_05

ZEC Payment Only

All rewards paid in ZEC to a valid Zcash Orchard Z-address (unified preferred). T-addresses not accepted. Reward amounts in ZEC at time of payout.

RULE_06

No Automated Scanning of Mainnet

Automated scanners against mainnet infrastructure are prohibited. Rate-limiting abuse, DoS, and brute-force attacks are strictly out of bounds.

Report Submission

Submit a Vulnerability

Reports are routed to the official ZCG Security & Vulnerability Disclosure Initiative — submit through each project’s SECURITY.md.

Official ZCG Program

No Intake Here

bountyzcash.org does not accept reports.

All vulnerability disclosures must go through the official ZCG Security & Vulnerability Disclosure Initiative.

No email, no form on this site counts for triage or payout.

How to disclose

Submit reports through each project's own SECURITY.mdon GitHub. ZCG does not accept reports directly — remediation teams triage, and FPF coordinates payout after a fix lands.

Read the ZCG Initiative ↗

Open Official ZCG Initiative ↗

Zcash Foundation / Zebra reports go through the private advisory issue flow.