Zabbix is a fully open-source, real-time monitoring solution for your entire infrastructure.
We invite you to help strengthen the security of our users by testing Zabbix and reporting any security vulnerabilities you find.
Scope
ā ļø This program is solely focused on finding vulnerabilities in the Zabbix monitoring solution itself.
- In scope:
- Zabbix monitoring solution, all components and processes (supported and pre-release versions)
- Packages we deliver (current versions)
- Docker images we provide (current versions)
- Virtual appliances we provide (current versions)
- Zabbix website and other supporting infrastructure is out of scope.
- Zabbix Cloud is out of scope.
- Please test only on Zabbix instances you own and do not interact with any Zabbix deployments of our users that might be publicly accessible.
Rules and guidelines
- Keep your reports short:
- One- or two-sentence summary.
- Concise PoC steps.
- No unnecessary or AI-generated filler content.
- Assume a securely configured Zabbix instance:
- Example - Agents use secure connections to the Server.
- Overriding secure default configuration will not be accepted as a prerequisite.
- Vulnerabilities present in different versions of Zabbix are considered as one vulnerability.
- Multiple vulnerabilities caused by one underlying issue will receive a single bounty.
- Zabbix employees or their immediate family members are not eligible for bounties.
Starting off
- For the quickest installation, follow the instructions on our download page.
- General Zabbix documentation available on our website.
- Other installation options documented here.
- The main components you can test:
- Web Interface (Written in PHP)
- Zabbix Server (Written in C)
- Agent (Written in C)
- Agent 2 and its plugins (Written in Go)
Severity
Zabbix can be deployed in different ways and integrates with many systems, so impact can vary.
To keep ratings consistent, we assess issues based on a reasonable production setup - not the worst possible configuration.
We use CVSS 4.0 as a reference, but final severity may differ. The table below shows our general rating guidelines.
| Severity | Bounty | Requirements |
|---|
| š„ Critical | $3,000 | Significant compromise by an unauthenticated attacker |
| š§ High | $1,500 | Significant impact but requires user privileges |
| šØ Medium | $500 | Exploitation requires administrator privileges or has limited impact |
| š© Low | $200 | Issues with lower impact or unlikely prerequisites |
Disclosure policy
Zabbix discloses all confirmed vulnerabilities after a fix has been released and
customers with active support contracts have been given adequate time to upgrade or patch.
Once the fix is released, your HackerOne ticket will be marked as resolved.
Public disclosure will follow at a later stage, and you will be notified once the disclosure has been completed.
We ask that you refrain from discussing the report publicly until the official disclosure has taken place.
Other out of scope vulnerabilities
In addition to Core Ineligible Findings, these types of vulnerabilities are out of scope:
- Misconfiguration of Zabbix is a prerequisite for exploitation.
- Vulnerable or compromised environment is a prerequisite for exploitation (i.e. misconfigured web server/malware).
- Unescaped macros in custom user scripts - Zabbix administrators are expected to take measures to secure their scripts.
- Previously known vulnerable libraries without a working Proof of Concept.
- API actions performed by regular users when this behaviour is documented.
- We only accept DoS vulnerabilities when they require low privilege and have a high degree of asymmetry.
- Any vulnerabilities not in the Zabbix product itself, such as the website.
