Unofficial ZapRead Fix/Bug Bounty Guide

Updated, read more:

I am just talking about my experience, so don't take this post as official rules.
But having reported several bugs to ZapRead, I know how things works here.

Reporting a Bug

Critical Bugs

If you believe your bug is high severity and shouldn't be disclosed publicly, don't do so.
I use the ZapRead chat to report bugs and talk about reasons/mitigation.
Usually Zelgada answers within 48h after reporting a bug, often earlier.


If you think the bug you found isn't too critical, just open a GitHub issue.
Many of the bugs I reported ended up becoming GitHub issues.
Zelgada seems to prefer GitHub.


Quoting Zelgada: "If the fix goes into the code base, you will get the bugfinder achievement, and a tip.".
Read the Fixing the Bug part... #FixBounty


I would wait at least 30 days, or until it has been fixed.
For crazy bugs I'd give 90 days time, be fair.
If you're into Fix Bounties I guess the PR on GitHub is disclosure.
Tho', I'd suggest sending patches privatly for serious vulnerabilities.

Fixing the Bug

It would be awesome if you create fixes for the bugs you report.
Zelgada can't do everything instantly, help is appreciated.
Just create a PR on GitHub.
Accourding to his new post, Zelgada pays more when you submit a fix!

Hacking ZapRead

I avoid hacking itself as much as I can, to be legally safe.
Also sources and a debugger help a lot, so there's no need.
To get your own debug ZapRead, follow the guide on GitHub.
It is actually pretty easy.

Have fun!