How do you report?
Send an email to us at firstname.lastname@example.org with the following information:
- A summary of the vulnerability containing such info as URL and type of vulnerability.
- The necessary information that we need in order to reproduce the vulnerability that you have discovered.
- If applicable, a screenshot of the vulnerability you have found.
- Contact information, name, email, phone number etc.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue and consult with us before any disclosure to the public or a third-party.
What will disqualify researchers from the program?
Issues found by using automated large scale scanning tools are not eligible!
Automated scans might trigger our monitoring system. Fuzzing / trying input on a specific part of the applications is fine, but refrain from the scattergun approach. Testing if there is an admin.php doesn't make any sense as our backend does not use PHP.
What can you expect from us?
- We will respond to your report within 3 business days.
- We will continue keep you informed of the progress towards resolving the problem.
- We will treat your report confidentially and will never share your personal data with any third parties, except when we are legally forced to do so.
Any design or implementation issue that is reproducible and substantially affects the security of ZIVVER's users is likely to be in scope for the program. Common examples include:
- Cross Site Request Forgery (CSRF).
- Remote Code Execution (RCE).
- Unauthorized Access to Properties or Accounts.
Depending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive recognition.
Please refrain from accessing private information, performing actions that may negatively affect ZIVVER users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our vulnerability rewards program:
- Attacks requiring physical access to a user's device or network.
- Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).
- Login/Logout CSRF.
- Missing security headers which do not lead directly to a vulnerability.
- Use of a known-vulnerable library (without evidence of exploitability).
- Reports from automated tools or scans.
- Social engineering of ZIVVER staff or contractors.
- Denial of Service attacks.
- Mass account and file creation.
- Results acquired by large scale automated test tools.
- Not enforcing certificate pinning.
- Use of 'weak' TLS ciphers (we have to support a broad range of (old) web browsers).