Programs P2P Marketplace ZenLand (zen.land)
Active Program $5,000 flat · validated critical P2P · Escrow · APIs · disputes · wallets · full mesh

ZenLand (zen.land) Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

ZenLand at https://zen.land/ operates as a P2P crypto marketplace with integrated escrow: trade listings, offer books, deposit holds, release arbitration, dispute resolution, chat mediation, API-driven automation, webhook callbacks, admin review consoles — the entire ZenLand-operated perimeter is in-scope with no artificial carve-out appendix. Every confirmed critical validated with a reproducible exploitation chain pays exactly $5,000 USD. Acceptance requires both a numbered attack chain narration and evidence that the exploitation actually succeeds (replayable scripts, tampered escrow state, unauthorized release traces, balance drift — prose alone collapses payouts).

BountyHunter Editorial
May 23, 2026 ·
#ZenLand #zen.land #P2P #BugBounty
$5,000 per critical
Full scope no carve-outs
Chain + PoC kill chain · attack succeeds
01 — Overview

P2P marketplace & escrow surfaces under stress

ZenLand concentrates peer-to-peer trade listings, offer creation, escrow deposits, release authorization, dispute arbitration, fee accounting, chat mediation, and API-driven automation hooks — fertile ground for escrow theft, unauthorized release, dispute manipulation, and balance misaccounting. Each critical earns $5,000.

As a P2P marketplace, ZenLand holds funds in escrow for every trade — deposit tagging, hold ledger, release triggers, dispute overrides, fee splits — every link in that chain is a bounty-relevant attack surface. In scope materially: every host under zen.land and sibling subdomains they light up for P2P trading, API integrations, WebSocket trade feeds, chat mediation, admin review consoles, notification workers, hot wallet policies, dispute automation.
Civil exclusions only: theft-as-a-service against counterparties outside the bounty program, harassment, indiscriminate draining — society-level bans, not endpoint lists.
Always keep sandbox mirrors humane: avoid mainnet fund theft even if you can; prove impact on isolated fixtures when possible.

Minimum evidence bar — non-negotiable:
1️⃣ Kill chain from root cause → exploit steps → measurable loss or integrity break  2️⃣ Proof the attack succeeds (replayed APIs showing unauthorized release, balance drift, dispute outcome tamper). Narratives without replayable exploits stall below payout threshold.
02 — Why this matters

Why pressure-test ZenLand?

Flat $5K critical payouts

Validated critical exploits with reproducible payloads earn exactly $5,000 USD — no spreadsheet bingo.

Full-scope trust boundary

Every endpoint ZenLand operates or delegates to is in-scope — no surprise carve-outs after you find a bug in a "grey area" subdomain.

Real custody risk

ZenLand holds P2P escrow funds — a successful exploit means actual balance loss. Every vulnerability that lets funds escape or get misdirected is a clear critical.

03 — Reward

The critical reward benchmark

$5,000 USD per validated critical
  • Flat rate — no haggling over severity tags
  • Payable on kill chain + successful attack reproduction
  • Duplicate-first policies: first qualified PoC wins
  • Lower severities considered — critical bar is highest

A critical on ZenLand means escrow bypass, unauthorized release of held funds, dispute outcome manipulation with financial impact, mass balance disclosure, or persistent admin account takeover — anything that lets an attacker steal, freeze, or misdirect funds held in escrow, tamper with trade arbitration, or escalate privileges to the operator panel.

04 — Scope

What's in scope

Target Category Reward
zen.land, subdomains, web UI Web $5,000 / validated bug
P2P trade & escrow APIs · deposit/release endpoints Backend $5,000 / validated bug
Escrow hold ledger · release triggers · fee accounting Custody $5,000 / validated bug
Dispute arbitration · admin overrides Ops $5,000 / validated bug
05 — Full Scope Policy

Everything ZenLand operates — no exclusions list

Sandbox escrow environments, canary wallet clusters, Telegram/bot hooks for risk alerts, partner liquidity APIs fronted by ZenLand — all eligible when critical impact reproduces.

  • Vanity domains CNAME'd into ZenLand edge — show DNS/traffic proof in your write-up.
  • Escrow SDKs or bookmarklets ZenLand ships to traders
  • Colocated market-making containers they operate
  • Bridge or on-ramp callbacks verified with ZenLand-issued secrets
Legal floor (not bounty shrink): laundering, indiscriminate draining of unrelated liquidity venues, harassment — always off-limits even if endpoints tempt you.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing fund/state impact — not paper analysis alone.
  2. Number your hops. Session/API primitive → escalation → escrow hold or release integrity break.
  3. Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
  4. Private coordination first. Use official intake on zen.land before public threads.
  5. Duplicate fairness. First qualifying PoC wins; followers get acknowledged-only.
07 — Submit

How to submit a report

Use the security / vulnerability disclosure contact published on https://zen.land/ (security@zen.land is a common guess — verify on the live site before emailing).

All reports must include:

  1. Summary and type of vulnerability
  2. Numbered kill chain from entry to impact
  3. Proof of successful exploitation (HAR, replayable cURL, screenshots with evidence)
  4. Suggested remediation or hardening approach (optional but appreciated)
Pro tip: wrap your PoC in a Dockerfile or a shell script so the review team can replay it on a sandbox mirror. Self-contained reproductions get priority triage.
08 — Example

Escrow release race vignette · pair with parallel request logs

Illustrative race on escrow release + dispute check — worthless without request captures showing unauthorized fund release on zen.land.

TypeScript — Escrow Release Handler 
// BUGGY: TOCTOU race — dispute check and release are not atomic
async function releaseEscrow(tradeId: string) {
  const trade = await db.getTrade(tradeId);
  if (trade.status !== 'held') throw new Error('invalid state');

  // Race window: attacker sends 20 parallel releaseEscrow() calls here
  const isDisputed = await db.hasActiveDispute(tradeId);
  if (isDisputed) throw new Error('disputed');

  await wallet.send(trade.buyerAddress, trade.amount); // each parallel call sends full amount
  await db.updateTrade(tradeId, { status: 'released' });
}
09 — FAQ

Frequently asked questions

Is the entire zen.land domain in scope?

Yes. Any host, subdomain, or service that ZenLand operates or delegates to is in scope. If a vanity domain CNAMEs to their infrastructure and you can prove ZenLand controls it, it qualifies.

What qualifies as a critical?

Escrow bypass enabling unauthorized release of held funds, dispute outcome manipulation causing financial loss, mass balance/identity disclosure, persistent admin account takeover, or any chain that lets an attacker steal or freeze funds held in ZenLand's custody.

Do lower-severity findings earn anything?

Lower findings are still reviewed and may earn discretionary rewards based on impact. The published $5,000 benchmark is guaranteed for validated criticals meeting the evidence bar.

Is social engineering allowed?

No. Testing against ZenLand staff or counterparties via phishing, vishing, or impersonation is strictly prohibited. Technical endpoint testing only.

Ready to probe ZenLand's escrow surfaces?

Find a critical? $5,000 is waiting. Full-chain, replayable exploits only.

Start at zen.land