Bug Bounty Program

Help us improve our security by finding and reporting vulnerabilities. We value the contributions of security researchers and offer rewards for eligible findings.

Program Overview

At Zero Sum Defense, we take security seriously. Our Bug Bounty Program invites security researchers to help us identify and fix security vulnerabilities in our systems before they can be exploited.

We believe in the power of collaboration with the security community and are committed to working with responsible security researchers to improve our security posture.

Safe Harbor

We follow a coordinated vulnerability disclosure process and provide safe harbor for security researchers who comply with our program guidelines.

Why Participate?

Earn cash rewards for finding valid vulnerabilities
Help protect sensitive data and improve platform security
Join our security researcher community and collaborate with our security team
Get recognition on our security researcher hall of fame (with your permission)
Contribute to open source security for selected components of our platform

Scope & Rewards

In-Scope Systems and Applications

Web Applications

actualize.zerosumdefense.io

Vulnerability Types of Interest

We're particularly interested in vulnerabilities related to authentication, authorization, data protection, encryption, injection flaws, and secure communications. For more details, see our detailed vulnerability classification guide.

Reward Structure

We offer competitive rewards based on the severity and impact of the vulnerabilities you report. Our rewards range from $100 to $20,000 USD depending on severity.

Severity	Reward Range	Examples
Critical	$5,000 - $20,000	Remote code execution, authentication bypass, data exfiltration
High	$2,000 - $5,000	SQL injection, stored XSS, CSRF with significant impact
Medium	$500 - $2,000	Reflected XSS, sensitive information disclosure, CSRF with limited impact
Low	$100 - $500	Minor information disclosure, UI redressing, rate limiting issues

* The final reward amount is determined by our security team based on factors including impact, exploitability, and quality of the report. We may award higher amounts for exceptional reports or novel findings.

Out of Scope

The following are considered out of scope and are not eligible for rewards under our Bug Bounty Program:

Vulnerability Types

Environments & Systems

Prohibited Activities

Important Notice

Activities outside the scope of our program or that violate our guidelines may result in legal action. If you're unsure whether your testing is permitted, please contact us before proceeding.

Submission Process

Discover & Validate

Identify a vulnerability and validate that it's reproducible. Collect evidence and document the steps to reproduce.

Submit Report

Submit your findings through our secure reporting form or via email to security@zerosumdefense.co. Include all necessary details for us to reproduce the issue.

Verification

Our security team will review your report and verify the vulnerability. We aim to respond within 48 hours to acknowledge receipt of your report.

Remediation

We'll work on fixing the vulnerability. For critical issues, we aim to deploy a fix within 7 days. We'll keep you updated on the status of the fix.

Reward & Recognition

Once the vulnerability is fixed, we'll evaluate the report for a reward based on our severity criteria and process the payment. With your permission, we'll add you to our security hall of fame.

Reporting Requirements

Include detailed steps to reproduce the vulnerability
Provide screenshots, videos, or proof of concept when applicable
Describe the potential impact of the vulnerability
Suggest possible mitigations if available
Include the version/build number of the affected application

Contact Information

For security reports and bug bounty submissions:

Email: security@zerosumdefense.co
PGP Key: Download PGP Key
Secure Form: Submit via Secure Form
Response Time: 24-48 hours

Encrypting Your Report

We strongly recommend encrypting sensitive vulnerability information using our PGP key. Here's how to encrypt your report:

# Import our PGP public key
  curl -s https://actualize.zerosumdefense.io/pgp-key.asc | gpg --import
  
  # Encrypt your report
  gpg --encrypt --recipient security@zerosumdefense.co -a report.txt
  
  # This creates report.txt.asc which you can safely email to us

Download Our PGP Public Key

Safe Harbor Policy

We provide a safe harbor for security researchers who:

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service
Only interact with accounts you own or with explicit permission of the account holder
Don’t exploit a security issue to gain additional access beyond what’s needed to prove the vulnerability
Report vulnerabilities directly to us and give us reasonable time to respond before disclosing to others
Provide sufficient information to reproduce the vulnerability so we can resolve it quickly

Zero Sum Defense's Commitment

If you follow these guidelines when reporting a vulnerability, we will not take legal action against you or initiate a law enforcement investigation. We appreciate your help in keeping our platform secure.

Hall of Fame

We're proud to recognize the security researchers who have helped improve the security of our platform. Visit our Hall of Fame to see our top contributors.

View Hall of Fame

Frequently Asked Questions

How and when do I receive payment for valid vulnerabilities?

What is your typical response time for vulnerability reports?

What happens if I report a duplicate vulnerability?

Do you provide a testing environment for security researchers?

What is your policy on public disclosure of vulnerabilities?

Start Hunting

Ready to help us improve our security? Start hunting for vulnerabilities and submit your findings. We look forward to working with you!

Read Program Rules Submit a Vulnerability