docs: Add Ambassador Program and Bug Bounty Program

AMBASSADOR_PROGRAM.md

@@ -0,0 +1,71 @@
+# PrivacyLayer Ambassador Program
+
+## Overview
+
+The PrivacyLayer Ambassador Program empowers community leaders to grow adoption, educate users, and represent the project in their local ecosystems.
+
+## Ambassador Tiers
+
+| Tier | Requirements | Benefits |
+|------|-------------|----------|
+| **Bronze** | 3+ community contributions | Ambassador badge, early access to features |
+| **Silver** | 10+ contributions, 1 event hosted | Merch kit, monthly call with core team |
+| **Gold** | 25+ contributions, 3 events, 50+ referrals | Revenue share, governance voting weight, conference sponsorship |
+
+## Responsibilities
+
+### Content Creation
+- Write tutorials, blog posts, or thread explanations about PrivacyLayer
+- Create video content (demos, explainers, reviews)
+- Translate documentation into local languages
+
+### Community Building
+- Host local meetups or online workshops
+- Moderate community channels (Discord, Telegram)
+- Onboard new users and developers
+
+### Feedback Loop
+- Report user pain points and feature requests
+- Test new releases before public launch
+- Participate in governance discussions
+
+## Application Process
+
+1. **Apply**: Open an issue with the `ambassador-application` label including:
+   - Your background and blockchain experience
+   - Community platforms you're active on
+   - What region/language you'd represent
+   - Your plan for the first 30 days
+
+2. **Review**: Core team reviews within 7 days
+
+3. **Onboarding**: Accepted ambassadors receive:
+   - Private Discord channel access
+   - Brand assets and guidelines
+   - Onboarding call with the team
+
+## Tracking & Rewards
+
+| Activity | Points |
+|----------|--------|
+| Blog post / tutorial | 10 |
+| Video content | 15 |
+| Meetup hosted (5+ attendees) | 25 |
+| Translation (full doc) | 20 |
+| Bug report (confirmed) | 10 |
+| New contributor onboarded | 5 |
+| Social media thread (100+ impressions) | 5 |
+
+Points are tracked monthly. Rewards are distributed in the project's native token on the 1st of each month.
+
+## Code of Conduct
+
+Ambassadors represent PrivacyLayer publicly. All ambassadors must:
+- Follow the project's [Code of Conduct](./CONTRIBUTING.md)
+- Disclose their ambassador status when promoting the project
+- Never make price predictions or financial advice
+- Report any security vulnerabilities through proper channels
+
+## Contact
+
+Questions? Open an issue with the `ambassador` label or reach out on Discord.

BUG_BOUNTY_PROGRAM.md

@@ -0,0 +1,84 @@
+# PrivacyLayer Bug Bounty Program
+
+## Overview
+
+PrivacyLayer invites security researchers to find vulnerabilities in our privacy pool smart contracts and infrastructure. We reward responsible disclosure with bounties proportional to severity.
+
+## Scope
+
+### In Scope
+
+| Component | Repository Path | Priority |
+|-----------|----------------|----------|
+| Privacy Pool Contract | `contracts/privacy_pool/` | Critical |
+| ZK Circuits (Noir) | `circuits/` | Critical |
+| Merkle Tree Implementation | `contracts/privacy_pool/src/crypto/merkle.rs` | Critical |
+| Groth16 Verifier | `contracts/privacy_pool/src/crypto/verifier.rs` | Critical |
+| Deposit/Withdraw Logic | `contracts/privacy_pool/src/core/` | High |
+| Deployment Scripts | `scripts/` | Medium |
+
+### Out of Scope
+- Known issues listed in GitHub Issues
+- Theoretical attacks with no practical exploit path
+- Social engineering or phishing
+- Denial of service attacks on public infrastructure
+- Issues in third-party dependencies (report upstream)
+
+## Reward Tiers
+
+| Severity | Bounty | Examples |
+|----------|--------|----------|
+| **Critical** | $5,000 - $25,000 | Double-spend, fund theft, proof forgery, nullifier bypass |
+| **High** | $1,000 - $5,000 | Privacy leaks (depositor/withdrawer linkability), Merkle state corruption |
+| **Medium** | $250 - $1,000 | Admin key escalation, griefing attacks, DoS on contract |
+| **Low** | $50 - $250 | Gas optimization issues, minor logic errors, informational findings |
+
+## Submission Process
+
+### Step 1: Discover
+Find a vulnerability in the in-scope components.
+
+### Step 2: Document
+Create a detailed report including:
+- **Title**: One-line description
+- **Severity**: Your assessment (Critical/High/Medium/Low)
+- **Description**: What the vulnerability is
+- **Steps to Reproduce**: Minimal steps or PoC code
+- **Impact**: What an attacker could achieve
+- **Suggested Fix**: Optional but appreciated
+
+### Step 3: Submit
+- **Email**: security@privacylayer.xyz (preferred for Critical/High)
+- **GitHub**: Open a **private security advisory** on this repository
+- **Do NOT** open a public issue for Critical or High severity bugs
+
+### Step 4: Response Timeline
+
+| Stage | Timeline |
+|-------|----------|
+| Acknowledgment | Within 24 hours |
+| Initial Assessment | Within 3 business days |
+| Fix Development | Within 14 days (Critical), 30 days (others) |
+| Bounty Payment | Within 7 days of fix deployment |
+
+## Rules
+
+1. **No exploitation**: Do not exploit vulnerabilities on mainnet or testnet beyond what's needed to demonstrate the bug
+2. **Responsible disclosure**: Give us reasonable time to fix before public disclosure (90 days)
+3. **One submission per bug**: Duplicate reports are not eligible
+4. **First come, first served**: The first valid report of a vulnerability receives the bounty
+5. **Legal safe harbor**: We will not pursue legal action against researchers who follow these rules
+
+## Platform Setup
+
+We recommend using [Immunefi](https://immunefi.com) for structured bounty submissions. Our Immunefi program page will be linked here once live.
+
+## Hall of Fame
+
+Security researchers who responsibly disclose valid vulnerabilities will be credited in our Hall of Fame (with consent).
+
+## Contact
+
+- Security: security@privacylayer.xyz
+- General: Open a GitHub issue
+- Discord: #security channel