Security program

Bug bounty & audit tracker

Scope is published today. Full rewards program launches after Passport and credential API audits complete.

Pre-registration open Β· full launch post-audit

Tiered rewards published at formal launch. Critical findings reported in good faith during pre-registration will be honored retroactively.

Audit tracker

Sui Passport Move moduleIn progress
Scope: On-chain stamp issuance, object ownership, revocation hooks

Required before external CPI integrations and mainnet Passport deployment. Results will publish here when complete.

Credential verification APIIn progress
Scope: POST /api/credentials/verify, JWT validation, presentation logging, RLS

Formal review of relying-party endpoint security and rate limiting before first external production gate.

zkLogin prover proxyScheduled
Scope: /api/zklogin/prover, salt handling, session binding

Queued after Passport module review.

Cielo payment verificationPlanned
Scope: On-chain USDC matching, memo validation, booking state machine

Aligns with asset-specific escrow migration roadmap.

In scope

  • POST /api/credentials/verify β€” JWT forgery, claim injection, replay
  • GET /api/trust/status β€” unauthorized data exposure
  • GET /api/verify/registry β€” registry poisoning (write paths require admin auth)
  • POST /api/credentials/issue β€” unauthorized issuance
  • /api/idv/* β€” session hijacking, webhook forgery
  • /api/intent/* β€” challenge replay, signature bypass
  • /api/zklogin/prover β€” salt leakage, prover abuse
  • Cielo payment verification β€” amount/memo mismatch acceptance
  • Supabase RLS bypass on identity or credential tables

Out of scope

  • Social engineering of team members or asset owners
  • DDoS, rate-limit exhaustion without demonstrated impact
  • Third-party infrastructure (Veriff, Google OAuth, Vercel platform)
  • Issues in deprecated / archived routes not linked from production nav
  • Self-XSS, missing security headers without exploitable impact

Reward pool

Reward ranges are targets for formal program launch (post-audit). Pre-registration reports in good faith will be evaluated against these tiers retroactively. Total pool scales with protocol revenue β€” not marketed as investment return.

Severity tiers

Critical

Unauthorized credential issuance, RLS bypass exposing PII, signing key exfiltration, arbitrary payment acceptance

$10,000 – $25,000

Highest tier. Immediate hotfix + retroactive payment for pre-registration reports once program is live.

SLA: Acknowledgment within 24h Β· target fix within 7 days
High

JWT validation bypass, credential replay across holders, payment verify accepts wrong amount/memo

$2,500 – $10,000

Substantial impact on relying-party trust or user funds.

SLA: Acknowledgment within 48h Β· target fix within 14 days
Medium

IDOR on verification records, intent challenge replay within validity window, rate-limit bypass with demonstrated abuse

$500 – $2,500

Meaningful security degradation without direct fund loss.

SLA: Acknowledgment within 5 business days
Low

Non-exploitable misconfigurations, informational leaks without PII, missing headers without demonstrated impact

$100 – $500

Swag + hall of fame credit at launch.

SLA: Best-effort review

Safe harbor

Good-faith security research on in-scope endpoints is welcome during pre-registration. Do not access data you do not own, exfiltrate user PII, or disrupt production bookings.

Full launch criteria

  • Sui Passport Move module audit complete
  • Credential API formal review complete
  • Dedicated security@ inbox + response SLA documented
  • Public rewards table published
Report a vulnerability

Email findings with reproduction steps. Do not publicly disclose before we acknowledge.

security@worldlabsprotocol.com
Security overview β†’Strategic roadmap