To ensure that Zerion is the most secure DeFi platform available, we offer a bug bounty program open to everyone! Our active bug bounty program has rewards of up to $50,000 (paid in USDC).

Here's a rundown on how our bounty works:

Scope of Vulnerabilities:

We offer compensation for critical vulnerabilities or bugs in Zerion's products, including but not restricted to:

While we'd like you to report all relevant vulnerabilities, we treat these vulnerabilities as higher priority:

  • Risk of assets being lost, stolen, or irrecoverable

  • Risk of access credentials and wallet authentication being incorrectly initiated

Bounty Sizes:

The severity of reported vulnerabilities will be benchmarked and evaluated according to the CVSS (Common Vulnerability Scoring Standard). This table serves as a general guideline for the bounty size:

Critical (9 - 10)

High (7 - 8.9)

Medium (4 - 6.9)

Low (0 - 3.9)

$5,000 - $50,000

$2,000 - $5,000

$500 - $2,000

$0 - $500

How to submit your vulnerability report:

🔖 Kindly email us at [email protected] and we will work with you to determine an appropriately compensated bug bounty.

Please include the following information:

  • Summary and severity of the bug

  • Steps to reproduce and screenshots/screen shares (if relevant)

  • Any support materials, proof of concepts and code

  • Description of the data being exposed and funds at risk

We ask you to kindly provide us enough time to fix a vulnerability prior to sharing details of the said vulnerability with any other party.

Out-of-scope vulnerabilities include:

  • Anything already covered by our audits

  • Attacks requiring physical access to a user's device, social engineering, phishing, physical, or other fraud activities

  • Vulnerabilities requiring extensive user interaction, third-party applications, or outdated browsers and platforms

  • Publicly accessible login panels without proof of exploitation

  • Vulnerabilities involving active content such as web browser add-ons and most brute-forcing issues without clear impact

  • Denial of service and any DoS/DDoS issues

  • Theoretical issues and moderately Sensitive Information Disclosure

  • Spam (SMS, email, etc.)

  • Missing HTTP security headers, open redirects, session fixation, and user account enumeration

  • Infrastructure vulnerabilities, including:

    • Certificates/TLS/SSL related issues

    • DNS issues (i.e. MX records, SPF records, etc.)

  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking

  • Descriptive error messages (e.g. Stack Traces, application or server errors)

  • Self-XSS that cannot be used to exploit other users

  • Login/Logout CSRF and Weak Captcha/Captcha Bypass

  • Username/email enumeration via Login/Forgot Password Page error messages

  • CSRF in forms that are available to anonymous users (e.g. the contact form)

  • OPTIONS/TRACE HTTP method enabled

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS/without embedded HTML links

  • Reflected File Download (RFD)

  • Mixed HTTP Content and HTTPS Mixed Content Scripts

Need product support?

If you...

  • Have questions about the security features of a Zerion product

  • Require technical help

  • Want access to product updates and beta-testing features

Please visit our Discord or reach out to our support team via the in-app chat.

Did this answer your question?