Skip to main content
search
Platform Updates

[ZeroBun] Critical Bounty Program // Technical program announcement

By Maret 20, 2024Oktober 27th, 2025No Comments

ZeroBun exists to identify core integrity failures cases where security boundaries collapse or execution control, authentication, or configuration integrity can be subverted.
Only high-impact, reproducible reports that meet this threshold are accepted.

Scope of Acceptance

Reports must clearly demonstrate one of the following:

  • Arbitrary code execution through production-reachable components
  • Full privilege escalation or unrestricted administrative function exposure
  • Direct invocation of backend logic through unauthenticated vectors
  • Persistent injection or deserialization that changes execution flow
  • Cross-system configuration exposure leading to unauthorized control
  • Any condition that provably alters critical service availability or trust boundaries

Minor or cosmetic bugs are automatically discarded.

Strict Rules

  1. Submission Channel:
    All reports must be emailed to [email protected] (hex only)
    Any other channel will not be reviewed
  2. Testing Boundaries:
    • Do not perform destructive tests or live denial scenarios
    • Do not attempt to access production records or simulate mass enumeration
    • Do not perform phishing or employee-targeted testing
  3. Disclosure:
    No public or third-party sharing is permitted until written approval from Findit
    Violations result in permanent disqualification.
  4. Format Enforcement:
    Reports must be submitted as a single ZIP package (one issue per email).
    Missing or malformed documentation leads to automatic rejection.

Required Submission Package

Each ZIP must contain the following four components:

  1. ZeroBun_Report.pdf
    • Unique ID and title
    • Affected component(s)
    • Observed behavior and exact conditions
    • Minimal reproduction path
    • Technical impact and recommended mitigation vector
  2. Proof_of_Concept.txt
    • Raw payloads, command sequences, or request/response pairs
    • Must be reproducible on a clean environment
  3. Evidence_Screenshots_and_Logs.zip
    • Terminal captures, API traces, configuration snapshots
    • Include SHA-256 checksums for integrity
  4. Researcher_Profile.txt
    • Researcher’s full name, region, contact
    • Statement of compliance with ZeroBun policy

Review & Reward

  • Verified, high-impact submissions are eligible for monetary reward.
  • Reward value depends on reproducibility, exploitability, and systemic reach.
  • Typical critical-tier bounties range.
  • Duplicate or unverifiable reports are not eligible.

Submission Checklist

– ZIP named <yourid>_zerobun.zip
– Contains all 4 files (PDF / TXT / ZIP / TXT)
– One issue per email
– Subject: ZeroBun – Critical Report – <short title> – <yourid>

Closing Note

ZeroBun operates under Findit AG’s internal security verification framework.
Reports that meet the standard help reinforce the platform’s execution boundaries and reliability model. All submissions are handled under silent triage. If you do not hear back, the submission was not accepted. This initiative is limited, technical, and uncompromising – designed for researchers who understand impact at the system level.