diff --git a/AMBASSADOR_PROGRAM.md b/AMBASSADOR_PROGRAM.md new file mode 100644 index 0000000..222c664 --- /dev/null +++ b/AMBASSADOR_PROGRAM.md @@ -0,0 +1,71 @@ +# PrivacyLayer Ambassador Program + +## Overview + +The PrivacyLayer Ambassador Program empowers community leaders to grow adoption, educate users, and represent the project in their local ecosystems. + +## Ambassador Tiers + +| Tier | Requirements | Benefits | +|------|-------------|----------| +| **Bronze** | 3+ community contributions | Ambassador badge, early access to features | +| **Silver** | 10+ contributions, 1 event hosted | Merch kit, monthly call with core team | +| **Gold** | 25+ contributions, 3 events, 50+ referrals | Revenue share, governance voting weight, conference sponsorship | + +## Responsibilities + +### Content Creation +- Write tutorials, blog posts, or thread explanations about PrivacyLayer +- Create video content (demos, explainers, reviews) +- Translate documentation into local languages + +### Community Building +- Host local meetups or online workshops +- Moderate community channels (Discord, Telegram) +- Onboard new users and developers + +### Feedback Loop +- Report user pain points and feature requests +- Test new releases before public launch +- Participate in governance discussions + +## Application Process + +1. **Apply**: Open an issue with the `ambassador-application` label including: + - Your background and blockchain experience + - Community platforms you're active on + - What region/language you'd represent + - Your plan for the first 30 days + +2. **Review**: Core team reviews within 7 days + +3. **Onboarding**: Accepted ambassadors receive: + - Private Discord channel access + - Brand assets and guidelines + - Onboarding call with the team + +## Tracking & Rewards + +| Activity | Points | +|----------|--------| +| Blog post / tutorial | 10 | +| Video content | 15 | +| Meetup hosted (5+ attendees) | 25 | +| Translation (full doc) | 20 | +| Bug report (confirmed) | 10 | +| New contributor onboarded | 5 | +| Social media thread (100+ impressions) | 5 | + +Points are tracked monthly. Rewards are distributed in the project's native token on the 1st of each month. + +## Code of Conduct + +Ambassadors represent PrivacyLayer publicly. All ambassadors must: +- Follow the project's [Code of Conduct](./CONTRIBUTING.md) +- Disclose their ambassador status when promoting the project +- Never make price predictions or financial advice +- Report any security vulnerabilities through proper channels + +## Contact + +Questions? Open an issue with the `ambassador` label or reach out on Discord. diff --git a/BUG_BOUNTY_PROGRAM.md b/BUG_BOUNTY_PROGRAM.md new file mode 100644 index 0000000..b0cfa9a --- /dev/null +++ b/BUG_BOUNTY_PROGRAM.md @@ -0,0 +1,84 @@ +# PrivacyLayer Bug Bounty Program + +## Overview + +PrivacyLayer invites security researchers to find vulnerabilities in our privacy pool smart contracts and infrastructure. We reward responsible disclosure with bounties proportional to severity. + +## Scope + +### In Scope + +| Component | Repository Path | Priority | +|-----------|----------------|----------| +| Privacy Pool Contract | `contracts/privacy_pool/` | Critical | +| ZK Circuits (Noir) | `circuits/` | Critical | +| Merkle Tree Implementation | `contracts/privacy_pool/src/crypto/merkle.rs` | Critical | +| Groth16 Verifier | `contracts/privacy_pool/src/crypto/verifier.rs` | Critical | +| Deposit/Withdraw Logic | `contracts/privacy_pool/src/core/` | High | +| Deployment Scripts | `scripts/` | Medium | + +### Out of Scope +- Known issues listed in GitHub Issues +- Theoretical attacks with no practical exploit path +- Social engineering or phishing +- Denial of service attacks on public infrastructure +- Issues in third-party dependencies (report upstream) + +## Reward Tiers + +| Severity | Bounty | Examples | +|----------|--------|----------| +| **Critical** | $5,000 - $25,000 | Double-spend, fund theft, proof forgery, nullifier bypass | +| **High** | $1,000 - $5,000 | Privacy leaks (depositor/withdrawer linkability), Merkle state corruption | +| **Medium** | $250 - $1,000 | Admin key escalation, griefing attacks, DoS on contract | +| **Low** | $50 - $250 | Gas optimization issues, minor logic errors, informational findings | + +## Submission Process + +### Step 1: Discover +Find a vulnerability in the in-scope components. + +### Step 2: Document +Create a detailed report including: +- **Title**: One-line description +- **Severity**: Your assessment (Critical/High/Medium/Low) +- **Description**: What the vulnerability is +- **Steps to Reproduce**: Minimal steps or PoC code +- **Impact**: What an attacker could achieve +- **Suggested Fix**: Optional but appreciated + +### Step 3: Submit +- **Email**: security@privacylayer.xyz (preferred for Critical/High) +- **GitHub**: Open a **private security advisory** on this repository +- **Do NOT** open a public issue for Critical or High severity bugs + +### Step 4: Response Timeline + +| Stage | Timeline | +|-------|----------| +| Acknowledgment | Within 24 hours | +| Initial Assessment | Within 3 business days | +| Fix Development | Within 14 days (Critical), 30 days (others) | +| Bounty Payment | Within 7 days of fix deployment | + +## Rules + +1. **No exploitation**: Do not exploit vulnerabilities on mainnet or testnet beyond what's needed to demonstrate the bug +2. **Responsible disclosure**: Give us reasonable time to fix before public disclosure (90 days) +3. **One submission per bug**: Duplicate reports are not eligible +4. **First come, first served**: The first valid report of a vulnerability receives the bounty +5. **Legal safe harbor**: We will not pursue legal action against researchers who follow these rules + +## Platform Setup + +We recommend using [Immunefi](https://immunefi.com) for structured bounty submissions. Our Immunefi program page will be linked here once live. + +## Hall of Fame + +Security researchers who responsibly disclose valid vulnerabilities will be credited in our Hall of Fame (with consent). + +## Contact + +- Security: security@privacylayer.xyz +- General: Open a GitHub issue +- Discord: #security channel