January 1st, 2021
At Zizoo, the safety and security of our customers and users has always been a top priority. We are dedicated to improving our products and services continuously by addressing changing market needs, technological breakthroughs, as well as new attack vectors. This Responsible Disclosure Policy is in place to identify new vulnerabilities and security issues in products and services provided and maintained by Zizoo and to address them in a timely manner.
Please review these terms before you test and/or report a vulnerability. Zizoo pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they do so in good faith and adhere to this policy.
Targeted, malicious or persistent attacks, however, are strictly forbidden and will be reported to the relevant authorities in accordance with the relevant laws.
What we expect from you
- Respect the rules. Operate within the rules set forth here, or speak up if in strong disagreement with the rules.
- Notify us as soon as possible after you discover a real or potential security issue.
- Respect privacy. Make a good faith effort not to access, or destroy another user’s data.
- Be patient. Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.
What you can expect from us
- We will respond as quickly as possible to your initial report, no later than 30 days.
- We will keep you updated throughout the process as we work to remediate the issue.
- We will let you know when the issue is fixed and when you can disclose it publicly.
- We will not take legal action against you if you have acted in good faith.
Services in Scope
This policy applies to the following systems and services:
Services Out Of Scope
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. If you aren’t sure whether a system is in scope or not, contact us at firstname.lastname@example.org before starting your research. Similarly, if there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for this program. Common examples include:
- XSS (Cross-site scripting)
- CSRF (Cross-site request forgery)
- SQL injection
- Authentication or authorization bugs
- Remote code execution
Non-technical vulnerabilities such as DDoS, phishing, breaking and entering are not qualified and strictly prohibited.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Disclosure of public information and information that does not present significant risk.
- Bugs that have already been submitted by another user, that we are already aware of, or that are classified as ineligible by Zizoo.
- Bugs that are in content/services not owned by Zizoo.
- Leaking version or debugging information such as stack traces, path disclosure, or directory listings.
- Speculative reports or reports without enough information to confirm an issue.
- Reports recommending best practices without demonstrable proof of an actual issue.
Whilst we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
- Performing actions that may negatively affect Zizoo, its team or its customers
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
- Accessing, or attempting to access, data or information that does not belong to you
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
- Violating any laws or breaching any agreements in order to discover vulnerabilities
Reporting a vulnerability
You can submit a vulnerability or security issue report by contacting us at email@example.com
If it's comfortable, please send it an encrypted message using PGP.
What we are looking for
Please send us the following information over a secure channel to be able to address the issue:
- Arrival product or service affected, including version numbers if applicable;
- Steps to reproduce the vulnerability/security issue including technical details as well as supporting evidence, e.g. logs, screenshots, pictures, exploit code;
- Vulnerability/security issue type, e.g. spoofing, tampering, remote code execution, information disclosure, denial of service, elevation of privilege;
- If you are reporting a cross-site scripting (XSS), your exploit should at least pop up an alert in the browser;
- For a cross-site request forgery (CSRF), use a proper CSRF case when a third party causes the logged in victim to perform an action;
- For a SQL injection, we want to see DBMS name and version, not just producing an error message or stack trace log;
- HTTP request / response captures or simply packet captures are also very useful to us;
- Make sure the bug is exploitable by someone other than the user (e.g. “self-XSS”). The impact is always important!;
- If you are reporting exposed credentials/source-code from the public repositories, don't forget to share links of that source with the screenshot of the place of leakage.
After remediation, you may be eligible to receive a reward, if:
- You are the first person to submit a product or service vulnerability
- That vulnerability is determined to be a valid security issue by Zizoos's Security team
- You have complied with all Program Terms
Rewards are subject to the terms and conditions of a Responsible Disclosure Agreement.
All reward amounts will be determined at the discretion of the Zizoo Security team who will evaluate each report for severity, impact, and quality. Rewards amounts vary depending upon the severity of the vulnerability reported. There could be submissions that we determine have an acceptable level of risk such that we do not make changes.
The minimum reward amount for a validated bug submission is 50 EUR and the maximum reward for a validated bug submission is 1.500 EUR. Zizoo’s Security team retains the right to determine if the bug submitted to the Reasonable Disclosure Program is eligible. All determinations as to the amount of a reward made by the Zizoo Security team are final.
Questions regarding this policy may be sent to firstname.lastname@example.org. We also invite you to contact us with suggestions for improving this policy.