We are dedicated to building the most secure self-custodial crypto wallet in the ecosystem while keeping users in control of their assets. Security is our top priority, and we have a combined decade of experience building web3 security, and many decades more from web2. We not only follow best practices but also undergo routine security audits to ensure the safety of Zeal’s users.
Security is at the core of our development process. We have engaged security experts and independent researchers to audit our codebase regularly. As of now, Zeal has undergone the following security audits:
- Zeal Security Audit Report - February 2023
- Doyensec Zeal Security Report - September 2023 (after retest)
- Zeal Security Audit Report - December 2023
- Zeal Security Audit Report - May 2024
- yAudit_Qantura_rebalance - September 2024
We are committed to maintaining a high level of security for Zeal and plan to undergo a minimum of two security audits per year to ensure continuous improvement and adherence to best practices.
For a detailed breakdown of issues identified during these audits and the corresponding fixes, please visit our Security Audit Reports.
TBA
If you believe you've identified a potential security vulnerability in Zeal, please report it to us using one of the following options. Please refrain from filing a public issue or discussing the vulnerability in public places like Discord, Slack, Twitter, etc.
Reporting options for vulnerabilities:
To report a security issue, please follow these steps:
-
Utilize the GitHub Security Advisory platform by clicking on the "Report a Vulnerability" tab in our GitHub repository.
-
After submitting your report, our dedicated security team will promptly respond and provide guidance on the next steps in handling your report.
-
Following the initial response, the security team will maintain open communication with you, keeping you informed of the progress towards a resolution and the full public announcement. They may also request additional information or guidance as needed.
-
If the security issue pertains to third-party modules used in Zeal, please report it directly to the person or team responsible for maintaining that module. Additionally, you can report vulnerabilities in these third-party modules through the npm contact form by selecting the option "I'm reporting a security vulnerability."
If, for any reason, you cannot use the GitHub Security Advisory platform, we appreciate direct reports sent to [email protected].
We make every effort to address vulnerabilities promptly and coordinate the disclosure of findings with the researcher. All other non-security related bugs in the codebase should be filed as issues on our GitHub repository
Our responsible disclosure policy ensures that vulnerabilities are first triaged and addressed privately, only being publicly disclosed after a reasonable time period. This approach allows us to patch vulnerabilities and provide an upgrade path for our users, thereby protecting them from publicly disclosed security issues before a patch is released.
We kindly request that you refrain from any malicious acts that could put our users, the project, or any of our team members at risk. Please do not disclose your findings outside this program until we have had the opportunity to review and address them with you.
The Zeal team takes security bugs seriously, and we appreciate your efforts to responsibly disclose your findings. We will acknowledge your contributions and compensate them based on their severity. To report a security issue, please use the GitHub Security Advisory or external services like HackerOne and Immunefi.