RISC Zero zkVM : Program info

IN-SCOPE VULNERABILITIES

The list is not limited to the following submissions but it gives an overview of what issues we care about:

• Affirmative verifiation of "false" receipt
• Extraction of private inputs to zkVM guest program from a receipt
• Information leakage in receipts that reveal knowledge of zkVM guest program execution (e.g. specific cycle counts, or memory access patterns).
• Arbitrary code execution in the zkVM verifier based on a malicious receipt
• Arbitrary code execution in the zkVM host from a malicious guest program (e.g. zkVM executor VM escapes).
• Reading or writing to zkVM host memory or storage outside of defined I/O interface

OUT-OF-SCOPE VULNERABILITIES

• Vulnerabilities in zkVM example or demo applications.
• Documentation errors.
• Security defects in third party guest programs or zkVM based applications.
• Verification defects that require modification to the verifier to exploit.
• zkVM host security defects that require modification the zkVM to exploit.
• Attacks on the verifier that require modifications to the guest program.

Third Party Audit Log

• Hexens zkVM Audit 0.17

• This program is only scoped to the targets above, RISC Zero web pages, demo applications, or SaaS services are not in scope for this program.
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Perform testing only within the scope
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs.

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• External audits are available for reference only, no bounties shall be paid against audit disclosed issues.
• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE the EMAIL under which you registered your HackerProof account (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps