Security Policy¶
Reporting a Vulnerability¶
If you believe you have found a security vulnerability in ZKProva, please report it to us responsibly. We take all reports seriously and will respond promptly.
Do not open a public GitHub issue for security vulnerabilities.
How to Report¶
Send a report to security@zkprova.com with the following information:
- A clear description of the vulnerability
- The affected component or endpoint (e.g.,
/auth/login, proof verification, webhook delivery) - Steps to reproduce, including any requests, payloads, or proof-of-concept code
- The potential impact as you understand it
- Your name and contact information (optional — anonymous reports are accepted)
Encrypt sensitive reports using our PGP key (key ID and fingerprint available on request at security@zkprova.com).
What to Expect¶
| Milestone | Timeframe |
|---|---|
| Acknowledgment of your report | Within 48 hours |
| Initial triage and severity assessment | Within 5 business days |
| Status update (accepted / declined / needs more info) | Within 10 business days |
| Remediation target for critical/high findings | Within 30 days of confirmation |
| Coordinated disclosure (if applicable) | Agreed with reporter |
We will keep you informed of progress throughout the remediation process. We ask that you give us a reasonable window to fix confirmed vulnerabilities before any public disclosure.
Safe Harbor¶
ZKProva considers good-faith security research to be a valuable contribution. If you conduct security testing in accordance with this policy, we will:
- Not pursue legal action against you under the Computer Fraud and Abuse Act or equivalent laws
- Work with you in good faith to understand and resolve the issue
- Not suspend or terminate your account as a result of good-faith research
Good-faith research means:
- You only test against accounts you own or have explicit permission to test
- You do not access, modify, or exfiltrate data belonging to other users
- You do not perform volumetric denial-of-service attacks
- You do not use social engineering against ZKProva employees or users
- You stop testing and notify us immediately if you encounter real user data
This safe harbor applies to testing against production only when no staging environment alternative exists. We prefer that active exploitation testing occur against our staging environment (api-staging.zkprova.com). Contact us to request staging credentials.
Scope¶
In Scope¶
The following assets are in scope for responsible disclosure:
- ZKProva API:
https://zkprova.com/api/*andhttps://api.zkprova.com/* - ZKProva web application:
https://zkprova.com - Authentication system: JWT handling, MFA, session management, password reset flows
- ZKP proof generation and verification:
/proofs/generate,/proofs/verify - Credential issuance and revocation:
/credentials/* - Webhook system: Registration, delivery, HMAC verification
- Admin endpoints:
/admin/*
Out of Scope¶
The following are explicitly excluded:
- Social engineering: Phishing, vishing, or any attack targeting ZKProva employees or users
- Volumetric DoS/DDoS: Attacks intended to degrade service availability through traffic flooding
- Physical security: Office access, hardware attacks
- Third-party services: AWS infrastructure internals, email delivery providers, NCUA API
- Mobile applications: The Expo/React Native mobile app is not yet in scope for this policy
- Spam or abuse: Account creation abuse, email bombing
- Clickjacking on non-sensitive pages: Only relevant if it enables a meaningful attack chain
- Missing HTTP security headers that do not lead to exploitable conditions
- SSL/TLS configuration issues without demonstrated exploitability
- Rate limit issues without demonstrated account takeover or data exposure impact
Findings on out-of-scope assets will not be eligible for recognition, though we appreciate the notification.
Vulnerability Classification¶
We use CVSSv3.1 for severity scoring. As a general guide:
| Severity | CVSS Score | Examples |
|---|---|---|
| Critical | 9.0 – 10.0 | ZKP proof verification bypass, authentication bypass, admin takeover |
| High | 7.0 – 8.9 | IDOR exposing member credentials, SSRF to internal metadata, SQLi |
| Medium | 4.0 – 6.9 | Privilege escalation limited in impact, information disclosure |
| Low | 0.1 – 3.9 | Minor information leakage, non-exploitable misconfigurations |
Recognition¶
ZKProva maintains a Hall of Fame to recognize researchers who report valid, in-scope vulnerabilities. Recognition is offered for findings of Medium severity or higher.
With your permission, we will:
- List your name (or handle) and the finding date on our public Hall of Fame page
- Provide a letter of acknowledgment for your records
We are a seed-stage startup and do not currently operate a paid bug bounty program. We aim to launch a formal bounty program with cash rewards in the second half of 2026. Researchers who report valid findings now will be acknowledged when the program launches.
Preferred Languages¶
We prefer to receive reports in English.
Contact¶
Email: security@zkprova.com Response SLA: 48 hours for acknowledgment PGP: Available on request
This policy was last updated on 2026-02-28.