Zooplus
Bounty Range
$500 - $5,000
external program
Zooplus
Since 1999, zooplus has been a pioneer in pet supplies e-commerce, serving millions of pet parents with an ever-growing range of nutritional and lifestyle products, proprietary premium food and accessory brands, alongside expert advice, convenient services, and loyalty programmes. Committed to the vision of 'Celebrating Pet Love Every Day' and driven by a passion for innovation, zooplus aims to set the industry standard for personalised, smart shopping. Based in Munich, zooplus operates local online shops across 30 European countries.
Thank you for supporting our security mission with relentless proactivity with your reports. 'We enable trust amid a hostile digital landscape.'
We look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe!
Zooplus will make a best effort to meet the following SLAs for hackers participating in our program:
| Type of Response | SLA in business days |
|---|---|
| First Response | 2 days |
| Time to Triage | 5 days |
| Time to Bounty | 14 days |
| Time to Resolution | depends on severity and complexity |
We'll try to keep you informed about our progress throughout the process.
It is prohibited to discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from the organization.
Follow HackerOne's disclosure guidelines.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction or mass exfiltration of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Zooplus is in the EU and some services are only made available in Europe through Geo IP. To avoid problems in your test, please use a VPN with an exit node in a country in the EU.
Load-intensive scans should be avoided.
When signing up for any Zooplus account, please use your [email protected] address
Please email [email protected] to request an account if you do not have one and are unable to create one
Make sure to include your HackerOne email address in the request
We will try and get back to you within 5 business days
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Missing best practices in Content Security Policy.
Missing email best practices (only Invalid, incomplete or missing DKIM/DMARC records)
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Open redirect - unless an additional security impact can be demonstrated
Self-XSS are out of scope if could not be chained with another kind of attack that not require social engineering.
Social media account takeover findings can be only rewarded once, as we have tens of millions of pages needing checks. We'd appreciate it if all found links to accounts are provided in one ticket.
Only accept users leaks that include Z+ Employees or 3rd party credentials, like logistics companies. Accounts from voting pools, Kanban boards and other kind of tools used by developers under their own reason are not part of that, unless internal Z+ information is leaked thru it. We also accept leaks from Z+ customers only if comes from leaks generated IN zooplus, or other of the domains in the program, site, of course the way that this leak was obtained must be included in the report. We do not accept leaks obtained with virus, trojans, browser leaks.... directly from the customers as is not a Z+ Leak. Of course we appreciate any report of that as a good faith from all the community and we always tried to be as gratefull as company policies allowed us.
We could not accept TLD reports that are not associated with our organization or not reserved by our business as security risk.
Issues that arise from intended business processes, even if they can be abused in edge cases, are out of scope. This includes, but is not limited to:
Account creation flows
Manipulation or reuse of promotional codes, vouchers, or coupons
Obtaining discounts, free gifts, or benefits (such as "Flash Deals," "Savings Plan," or "Zoopoints") through business logic quirks, unless this leads to a direct compromise of core security controls or customer data.
Exploiting regional or cross-shop promotions (e.g., using a French free shipping code for a Belgian address)
Earning or spending "Zoopoints", newsletter bonuses, or referral points multiple times via timing, race conditions, or cross-shop actions.
Bypassing limits on loyalty programs.
Rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Zooplus.
| Severity | Average Bounty | Percentage of Submissions |
|---|---|---|
| Low | $625 | 19.84% |
| Medium | $1,000 | 42.66% |
| High | $2,000 | 26.36% |
| Critical | $5,000 | 11.14% |
If you have any questions or run into blockers while testing, please email [email protected] to get in touch with our team.
Thank you for helping keep Zooplus and our users safe!