Details

Zalo Responsible Vulnerability Disclosure Program:

We take the security of our products and services seriously. We believe that working together with other skilled security researchers across the globe is crucial to offer security solutions. We appreciate the work of the white hat community in responsibly reporting any vulnerabilities. So if you believe you have found a security vulnerability on Zalo Group, please let us know right away via email [email protected]. We will investigate all reports and do our best to quickly fix valid issues. For each serious vulnerability, we will record it in our HoF and have some gifts (VietNam only) for the first submitters.

Scope:

If you believe you've found a qualifying security vulnerability in a Zalo Group product or Web site, please submit a report by following the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.

Required Information:

If possible/applicable include the following information:

1. Affected Product(s)/versions/URLs

2. System Details (Operating System, etc.)

3. Technical Description and Reproduction Steps

4. Proof of Concept how the Vulnerability can be abused

5. Impact of the Vulnerability

We only accept submissions that contain a full proof of concept that contains a description of how the vulnerability can be abused and how this impacts the services of Zalo Group.

Out of Scope:

When reporting vulnerabilities, please consider attack scenario/exploitability, and security impact of the bug. The following issues are considered out of scope:

Hypothetical or theoretical vulnerability without Proof of Concept.
Self XSS
Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing
Denial of Service (DOS)
CSRF without sensitive
Attack requiring physical access to a user's device or using a rooted device
Ability to spam Zalo users arbitrarily with spam messages
Previously known vulnerable libraries without a working Proof of Concept
Information Exposure (Path, Version, Third Party, API Key ...) without Impact.
Missing best practices in SSL/TLS configuration, security header
Reports from automated tools or scans that don’t prove a unique, valid security threat
Content spoofing and text injection issues WITHOUT showing an attack vector/without being able to modify HTML/CSS
Social Engineering
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Brute force attacks with low impact
Password and account recovery policies, such as reset link expiration or password complexity
Bypass of URL malware detection
Vulnerabilities affecting users of outdated or unpatched browsers and platforms
Externally hosted services utilized by Zalo Group
Username/e-mail enumeration only
Recently disclosed zero - day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.

Hall of Fame:

We'd like to thank the following security researchers and companies who have worked with us to keep Zalo Group as secure as possible by finding, fixing, and responsibly disclosing security flaws: https://zalo.me/security.html

Zalo Responsible Vulnerability Disclosure Program:

Required Information:

If possible/applicable include the following information:

1. Affected Product(s)/versions/URLs

2. System Details (Operating System, etc.)

3. Technical Description and Reproduction Steps

4. Proof of Concept how the Vulnerability can be abused

5. Impact of the Vulnerability

We only accept submissions that contain a full proof of concept that contains a description of how the vulnerability can be abused and how this impacts the services of Zalo Group.

Out of Scope:

When reporting vulnerabilities, please consider attack scenario/exploitability, and security impact of the bug. The following issues are considered out of scope:

Hypothetical or theoretical vulnerability without Proof of Concept.

Self XSS

Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing

Denial of Service (DOS)

CSRF without sensitive

Attack requiring physical access to a user's device or using a rooted device

Ability to spam Zalo users arbitrarily with spam messages

Previously known vulnerable libraries without a working Proof of Concept

Information Exposure (Path, Version, Third Party, API Key ...) without Impact.

Missing best practices in SSL/TLS configuration, security header

Reports from automated tools or scans that don’t prove a unique, valid security threat

Content spoofing and text injection issues WITHOUT showing an attack vector/without being able to modify HTML/CSS

Social Engineering

Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

Brute force attacks with low impact

Password and account recovery policies, such as reset link expiration or password complexity

Bypass of URL malware detection

Vulnerabilities affecting users of outdated or unpatched browsers and platforms

Externally hosted services utilized by Zalo Group

Username/e-mail enumeration only

Recently disclosed zero - day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.