We look forward to working with the security community to make sure ZenGo remains the most secure crypto wallet.
Areas of interest
Our primary focus is on vulnerabilities that:
- Would allow attackers to spend customers’ money.
- Would allow attackers to make customers’ money unavailable.
- High severity attacks on the server (e.g. remote code execution, SQL injection, etc.)
Out of scope vulnerabilities
When reporting vulnerabilities, please consider the attack scenario/exploitability, and security impact of the bug. The following issues are considered out of scope:
- Previously known vulnerable libraries without a working proof of concept.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Please provide detailed reports with reproducible steps.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with explicit permission of the account holder.
Please email all submissions to [email protected]. Your submission should include any steps required to reproduce or exploit the vulnerability. Please allow time for the vulnerability to be fixed before discussing any findings publicly. After receiving a submission, we will contact you with expected timelines for a fix to be implemented.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not be followed by legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep ZenGo safe.