Welcome to Zerobounce's Bug Bounty Program! This program encourages and rewards contributions by security researchers who help make Zerobounce more secure. To recognise your efforts and the important role you play, we offer bounties for reporting valid security vulnerabilities to us.
Our security team works vigilantly to help keep customer information secure. We recognise the important role that security researchers and our user community play in helping to keep Zerobounce and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.
Response Targets
ZeroBounce will make a best effort to meet the following SLAs for hackers participating in our program:
| Type of Response | SLA in business days |
|---|
| First Response (from report submit) | 5 days |
| Time to Triage (from report submit) | 10 days |
| Time to Bounty (from triage) | 14 days |
| Time to Resolution | depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
Disclosure & Confidentiality Policy
As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.
Any information you receive, collect or otherwise obtain about us, our services, our affiliates or any of our members, employees or agents in connection with our Bug Bounty Program (whether after or before you participate in the Bug Bounty Program, notably as a result of you finding and/or investigating a security bug in our in-scope applications or infrastructure) (“Confidential Information”) must be kept confidential, only used in connection with the Bug Bounty Program and not disclosed to any third party. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your participation in our Bug Bounty Program and any Submission.
By participating in our Bug Bounty Program, you represent and warrant that you have not used and will not use Confidential Information for any purpose other than in connection with the Bug Bounty Program and that you have not shared and will not share such Confidential Information with any third party.
Once a Submission is made, Zerobounce reserves the right to request from you, and you already accept to abide by this request, to securely and irreversibly delete any data related to such Submission, including, without limitation, any data about us, our services, our affiliates or any of our members, employees or agents. Additionally, you agree to securely and irreversibly delete any data related to the Submission immediately upon it no longer being reasonably necessary to retain for the purposes of conveying the impact or scope of the reported issue, after verifying with Zerobounce that it is no longer necessary, and/or if the Submission is closed, regardless of outcome.
Eligibility Policy
To participate in our Bug Bounty Program, you must:
- Not be a resident of, or make a Submission to our Bug Bounty Program from, a country against which the United States has issued export sanctions or other trade restrictions, including, but not limited to, Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are on the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.
- Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.
- Not be employed by Zerobounce or any of its affiliates or an immediate family member of a person employed by Zerobounce or any of its affiliates.
You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.
Program Rules
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- Only interact with accounts you own or with explicit permission of the account holder.
SQL Injection Policy
- Do not alter any data.
- Do not change or interrupt server or database functionality.
- Do not destroy any data.
- Do not read or save sensitive data belonging to members other than yourself.
XSS Policy
- Stored XSS is classified as Medium-severity.
- Reflected XSS is classified as Low-severity.
- XSS on IE only is classified as Informational.
- POST-Based XSS is classified as Not Applicable.
Test Plan
- Researchers are free to set up accounts for testing but please note that testing should be limited to the accounts you own. We also highly encourage you to register an account with your HackerOne Email alias [[email protected]].
- You can test the payment flow on the staging environment with Stripe and PayPal test cards.
- Please use our validation and api guides for instructions on how to use our platform.
Rewards
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Zerobounce.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DDoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Rate limiting or bruteforce issues on non-authentication endpoints.
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies.
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Tabnabbing.
- Open redirect - unless an additional security impact can be demonstrated.
- Issues that require unlikely user interaction.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep ZeroBounce and our users safe!
