Skip to content

Fix #13: Bug Bounty Request #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Stackwyre wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix #13: Bug Bounty Request #14

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Security Policy

## Reporting Security Vulnerabilities

We take security vulnerabilities seriously and appreciate your efforts to responsibly disclose any issues you may find.

### How to Report a Security Vulnerability

If you discover a security vulnerability in Payy, please report it to us through one of the following channels:

**Primary Contact:**
- Email: security@payy.network

**Alternative Contacts:**
- Create a private security advisory on GitHub: [Report a vulnerability](https://github.com/polybase/zk-rollup/security/advisories/new)
- Contact the maintainers directly:
- @calummoore
- @soru23

### What to Include in Your Report

To help us understand and address the issue quickly, please include:

1. A clear description of the vulnerability
2. Steps to reproduce the issue
3. Potential impact assessment
4. Any suggested fixes or mitigations
5. Your contact information for follow-up questions

### Response Timeline

- **Acknowledgment**: We will acknowledge receipt of your report within 48 hours
- **Initial Assessment**: We will provide an initial assessment within 5 business days
- **Resolution**: We aim to resolve critical vulnerabilities within 30 days

### Responsible Disclosure Guidelines

We ask that you:

- Give us reasonable time to investigate and fix the issue before public disclosure
- Avoid accessing, modifying, or deleting user data
- Do not perform actions that could harm the service or its users
- Do not publicly disclose the vulnerability until we have had a chance to address it

### Bug Bounty Program

We are currently evaluating the establishment of a formal bug bounty program. In the meantime, we will consider rewards for significant security findings on a case-by-case basis.

### Scope

This security policy applies to:

- The Payy zk-rollup protocol
- Smart contracts deployed on Ethereum
- Core node implementation
- Prover and aggregator services
- Frontend applications
- API endpoints and RPC services

### Out of Scope

- Third-party dependencies (please report directly to the respective projects)
- Social engineering attacks
- Physical security issues
- Denial of service attacks

### Recognition

We believe in recognizing security researchers who help make Payy safer. With your permission, we will:

- Acknowledge your contribution in our security advisories
- Add you to our security researchers hall of fame (if you wish)

Thank you for helping keep Payy and our users safe!