The RISC Zero zkVM is a verifiable computer that works like a real embedded RISC-V micro-processor, enabling programmers to write ZK proofs like they write any other code.
In Scope
Target | Type | Severity | Reward |
---|---|---|---|
https://github.com/risc0/risc0/tree/main/risc0 |
Other | Critical | Bounty |
IN-SCOPE VULNERABILITIES
The list is not limited to the following submissions but it gives an overview of what issues we care about:
- Affirmative verifiation of
false
receipt - Extraction of private inputs to zkVM guest program from a receipt
- Information leakage in receipts that reveal knowledge of zkVM guest program execution (e.g. specific cycle counts, or memory access patterns).
- Arbitrary code execution in the zkVM verifier based on a malicious receipt
- Arbitrary code execution in the zkVM host from a malicious guest program (e.g. zkVM executor VM escapes).
- Reading or writing to zkVM host memory or storage outside of defined I/O interface
OUT-OF-SCOPE VULNERABILITIES
- Vulnerabilities in zkVM example or demo applications.
- Documentation errors.
- Security defects in third party guest programs or zkVM based applications.
- Verification defects that require modification to the verifier to exploit.
- zkVM host security defects that require modification the zkVM to exploit.
- Attacks on the verifier that require modifications to the guest program.
Third Party Audit Log
- This program is only scoped to the targets above, RISC Zero web pages, demo applications, or SaaS services are not in scope for this program.
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Perform testing only within the scope
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs.
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- External audits are available for reference only, no bounties shall be paid against audit disclosed issues.
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must not be a former or current employee of us or one of its contractor.
- ONLY USE the EMAIL under which you registered your HackerProof account (in case of violation, no bounty can be awarded)
- Provide detailed but to-the point reproduction steps