Zadarma Bug Bounty Program

Legal agreements / Zadarma Bug Bounty Program

Introduction

At Zadarma, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Zadarma Bug Bounty Program (ZBBP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Zadarma more secure.

Program Exclusions

The following categories of vulnerabilities are excluded from the reward Program:

Attacks against Zadarma infrastructure
Social engineering and physical attacks
Distributed Denial of Service (DDoS) attacks that require large volumes of data
Violations of licenses or other restrictions applicable to any vendor's product
Security vulnerabilities in third-party products or websites that are not under Zadarma’s direct control
Duplicate reports of security issues, including security issues that have already been identified internally
Clickjacking reports against unauthenticated pages and/or static content resources
Theoretical security issues with no realistic exploit scenario(s) or attack surfaces
Issues determined to be low impact
Self-XSS involving a payload in headers or the body of the request
POST based Reflected XSS
Vulnerabilities that require a social engineering component are excluded. i.e. presenting injected data to a user and expecting the user to click on an external link to complete the compromise
Login/logout CSRF

Program Terms and Conditions

The following Terms and Conditions apply to the Program:

You must comply with the Program and abide by the law
Zadarma employees, contractors, and their families are not eligible for rewards
You must submit your report as soon as you have discovered a potential vulnerability. By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the vulnerability or your submission to anyone other than Zadarma following the process set forth in the Program.
By submitting information about a potential vulnerability, you agree to all Program Terms and Conditions and grant Zadarma a worldwide, royalty-free, non-exclusive license to use your submission. Only the first submission of a given potential vulnerability that Zadarma has not yet identified is eligible. In the event of a duplicate submission, only the earliest received is considered.
Eligibility for rewards, including the determination of the recipients and reward amount is left up to the sole discretion of Zadarma.
You are responsible for all taxes associated with and imposed on any reward you may receive in connection with your submission.
You may only exploit, investigate, or target vulnerabilities against your own accounts. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.
If you inadvertently access customer, employee, or business-related information during your testing, you must immediately notify Zadarma and the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access to the data must be declared within your submission.
Your testing activities must not negatively impact Zadarma availability or performance.

Services and Products in Scope

Bounty eligible findings are limited to following websites, APIs and mobile applications:

Zadarma web-sites:

zadarma.com
my.zadarma.com
teamsale.com
*.teamsale.com

Zadarma APIs:

api.zadarma.com

Zadarma applications:

Zadarma Apple App
Zadarma Android App
Zadarma Windows App

Plugins:

Zadarma call plugin for Google Chrome

Reports of security findings outside of bounty eligible scope will be accepted and handled appropriately.

Reporting Process

When reporting vulnerabilities, you must first create your account on Zadarma website
In describing the vulnerability it is important to include all necessary details required for reproducing the vulnerability as well as the tools required to reproduce the vulnerability. Please note that the vulnerability should be treated in accordance with the terms of the Program.
Each submission will typically receive a reply within one (1) business day acknowledging that the report was successfully received.
Duplicate submissions (where the vulnerability has already been reported to Zadarma) are not eligible for rewards. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been remediated.
Please recognize that the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the Program is notified by Zadarma internal support team. Zadarma cannot provide updates on remediation efforts that are in progress.
Information about the vulnerability should be sent to a special email address bug-bounty@zadarma.com

Awarding Process

Only vulnerabilities will be considered for an award. Only those vulnerabilities that have been resolved will receive an award. The bounties depend on criteria such as the type/severity of the vulnerability, impacted domain(s), potential vulnerability exploits, and vulnerability report submission quality. The criteria used to determine the payout for a vulnerability is solely at the discretion of Zadarma.

Award categories

Vulnerabilities will be ranked from category low to category critical, depending on their severity:

Low
Medium
High
Critical

The Zadarma jury determines the severity of the vulnerability.

Change to Program Terms

The Program may be amended, modified or discontinued at any time without notice in Zadarma’s sole and absolute discretion.

Responsible Disclosure Policy

Thank you for joining us in supporting ethical and responsible disclosure. By participating in this Program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Zadarma confirms mitigation.