Introduction
At Zadarma, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Zadarma Bug Bounty Program (ZBBP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Zadarma more secure.
Program Exclusions
The following categories of vulnerabilities are excluded from the reward Program:
- Attacks against Zadarma infrastructure
- Social engineering and physical attacks
- Distributed Denial of Service (DDoS) attacks that require large volumes of data
- Violations of licenses or other restrictions applicable to any vendor's product
- Security vulnerabilities in third-party products or websites that are not under Zadarma’s direct control
- Duplicate reports of security issues, including security issues that have already been identified internally
- Clickjacking reports against unauthenticated pages and/or static content resources
- Theoretical security issues with no realistic exploit scenario(s) or attack surfaces
- Issues determined to be low impact
- Self-XSS involving a payload in headers or the body of the request
- POST based Reflected XSS
- Vulnerabilities that require a social engineering component are excluded. i.e. presenting injected data to a user and expecting the user to click on an external link to complete the compromise
- Login/logout CSRF
Program Terms and Conditions
The following Terms and Conditions apply to the Program:
- You must comply with the Program and abide by the law
- Zadarma employees, contractors, and their families are not eligible for rewards
- You must submit your report as soon as you have discovered a potential vulnerability. By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the vulnerability or your submission to anyone other than Zadarma following the process set forth in the Program.
- By submitting information about a potential vulnerability, you agree to all Program Terms and Conditions and grant Zadarma a worldwide, royalty-free, non-exclusive license to use your submission. Only the first submission of a given potential vulnerability that Zadarma has not yet identified is eligible. In the event of a duplicate submission, only the earliest received is considered.
- Eligibility for rewards, including the determination of the recipients and reward amount is left up to the sole discretion of Zadarma.
- You are responsible for all taxes associated with and imposed on any reward you may receive in connection with your submission.
- You may only exploit, investigate, or target vulnerabilities against your own accounts. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.
- If you inadvertently access customer, employee, or business-related information during your testing, you must immediately notify Zadarma and the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access to the data must be declared within your submission.
- Your testing activities must not negatively impact Zadarma availability or performance.
Services and Products in Scope
Bounty eligible findings are limited to following websites, APIs and mobile applications:
Zadarma web-sites:
- zadarma.com
- my.zadarma.com
- teamsale.com
- *.teamsale.com
Zadarma APIs:
- api.zadarma.com
Zadarma applications:
- Zadarma Apple App
- Zadarma Android App
- Zadarma Windows App
Plugins:
- Zadarma call plugin for Google Chrome
Reports of security findings outside of bounty eligible scope will be accepted and handled appropriately.
Reporting Process
- When reporting vulnerabilities, you must first create your account on Zadarma website
- In describing the vulnerability it is important to include all necessary details required for reproducing the vulnerability as well as the tools required to reproduce the vulnerability. Please note that the vulnerability should be treated in accordance with the terms of the Program.
- Each submission will typically receive a reply within one (1) business day acknowledging that the report was successfully received.
- Duplicate submissions (where the vulnerability has already been reported to Zadarma) are not eligible for rewards. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been remediated.
- Please recognize that the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the Program is notified by Zadarma internal support team. Zadarma cannot provide updates on remediation efforts that are in progress.
- Information about the vulnerability should be sent to a special email address
bug-bounty@zadarma.com
Awarding Process
Only vulnerabilities will be considered for an award. Only those vulnerabilities that have been resolved will receive an award. The bounties depend on criteria such as the type/severity of the vulnerability, impacted domain(s), potential vulnerability exploits, and vulnerability report submission quality. The criteria used to determine the payout for a vulnerability is solely at the discretion of Zadarma.
Award categories
Vulnerabilities will be ranked from category low to category critical, depending on their severity:
- Low
- Medium
- High
- Critical
The Zadarma jury determines the severity of the vulnerability.
Change to Program Terms
The Program may be amended, modified or discontinued at any time without notice in Zadarma’s sole and absolute discretion.
Responsible Disclosure Policy
Thank you for joining us in supporting ethical and responsible disclosure. By participating in this Program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Zadarma confirms mitigation.