Bug bounty & audit tracker
Scope is published today. Full rewards program launches after Passport and credential API audits complete.
Tiered rewards published at formal launch. Critical findings reported in good faith during pre-registration will be honored retroactively.
Audit tracker
Required before external CPI integrations and mainnet Passport deployment. Results will publish here when complete.
Formal review of relying-party endpoint security and rate limiting before first external production gate.
Queued after Passport module review.
Aligns with asset-specific escrow migration roadmap.
In scope
- POST /api/credentials/verify β JWT forgery, claim injection, replay
- GET /api/trust/status β unauthorized data exposure
- GET /api/verify/registry β registry poisoning (write paths require admin auth)
- POST /api/credentials/issue β unauthorized issuance
- /api/idv/* β session hijacking, webhook forgery
- /api/intent/* β challenge replay, signature bypass
- /api/zklogin/prover β salt leakage, prover abuse
- Cielo payment verification β amount/memo mismatch acceptance
- Supabase RLS bypass on identity or credential tables
Out of scope
- Social engineering of team members or asset owners
- DDoS, rate-limit exhaustion without demonstrated impact
- Third-party infrastructure (Veriff, Google OAuth, Vercel platform)
- Issues in deprecated / archived routes not linked from production nav
- Self-XSS, missing security headers without exploitable impact
Reward pool
Reward ranges are targets for formal program launch (post-audit). Pre-registration reports in good faith will be evaluated against these tiers retroactively. Total pool scales with protocol revenue β not marketed as investment return.
Severity tiers
Unauthorized credential issuance, RLS bypass exposing PII, signing key exfiltration, arbitrary payment acceptance
Highest tier. Immediate hotfix + retroactive payment for pre-registration reports once program is live.
JWT validation bypass, credential replay across holders, payment verify accepts wrong amount/memo
Substantial impact on relying-party trust or user funds.
IDOR on verification records, intent challenge replay within validity window, rate-limit bypass with demonstrated abuse
Meaningful security degradation without direct fund loss.
Non-exploitable misconfigurations, informational leaks without PII, missing headers without demonstrated impact
Swag + hall of fame credit at launch.
Safe harbor
Good-faith security research on in-scope endpoints is welcome during pre-registration. Do not access data you do not own, exfiltrate user PII, or disrupt production bookings.
Full launch criteria
- Sui Passport Move module audit complete
- Credential API formal review complete
- Dedicated security@ inbox + response SLA documented
- Public rewards table published
Email findings with reproduction steps. Do not publicly disclose before we acknowledge.
security@worldlabsprotocol.com