Who are we ?

Zenly is a mobile app that shows you a live map of your friends and family. Founded in Paris in 2014, Zenly joined Snap in 2017, and continues to run as an independent entity with millions of loving active users around the world

We look forward to fostering new relationships with the security researcher community. Our security team reviews all vulnerability reports and acts upon them in accordance with responsible disclosure. As a general rule, we will acknowledge and validate your submission within 30 days (usually in less) and remediate critical and high severity submissions within 90 days.

Scope

Our main focus is on security vulnerability testing for mobile applications and API endpoints listed below, however if you find a vulnerability that has meaningful security impact on an asset not explicitly out of scope, it’s fair game.

• Zenly’s current mobile application for iOS and Android.

• api.znly.co

• rpc.znly.co

Given our threat model, Zenly is particularly interested in reports demonstrating:

• Vulnerabilities in authentication

• Compromise of chat services

• Alteration or faking of user location (from within the application and not using a third party application acting at the OS level)

• SMS Toll Fraud for account sign-up, if done through a proven automated mechanism

Eligibility and Responsible Disclosure

We’ll only grant a reward to the first researcher reporting a specific vulnerability.

DO’s

• Agree and adhere to the Do's and Don't and Legal terms as stated in this policy

• Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to other users

• Send a clear textual description of the report along with steps to reproduce the vulnerability. (code and screenshots are encouraged, videos are discouraged unless absolutely necessary)

• Check the eligibility of your report before submitting it

• Only contact us through the HackerOne report submission form

DON’Ts

• Don’t discuss or disclose any vulnerabilities (even resolved ones) outside of the program without express consent from us.

• Follow HackerOne Vulnerability Disclosure Guidelines

• Don’t access user personal information. If you accidentally access user personal information, please stop testing and contact us immediately

• If you gain access to any non-public application or non-public credentials, please stop testing and contact us immediately

• Do not degrade Zenly’s user experience, disrupt production systems nor destroy data during security testing

Out of scope vulnerabilities and exclusions

Specific to mobile applications

• Lack of password login and logout on the mobile applications, this is by design

• Attacks requiring physical access to an unlocked device or modification of hardware

• Reports solely indicating a lack of a possible security defense such as certificate pinning

• Local access to user data when operating a rooted/jailbroken mobile device

• Issues that only occur on rooted/jailbroken devices or emulators

• Attacks requiring extensive user interaction

• Reports regarding outdated application versions

Global

• Social engineering attempts on our staff including phishing

• Publicly known 0day vulnerabilities until more than 30 days have passed since patch availability.

• Attacks that could lead to the disruption of our service ((D)DoS)

• Open ports without a vulnerability

• Use of automated tools and scanners that could impact our services performance

• Vulnerabilities in a vendor we integrate with (e.g Google or any SMS provider)

• Clear storage of 3rd party API keys for services that do not offer a secure method of key storage

• 3rd party API keys found in mobile applications without demonstrating the possibility to use them in a malicious way

• Missing DNS and email best practices (e.g. invalid, incomplete, or missing SPF/DKIM/DMARC records)

• Missing SSL/TLS configuration best practices

• GitHub set up related issue (e.g. Wiki configuration)

• Disclosure of server or software version numbers, reporting out-of-date or vulnerable software version without a proof of concept demonstrating vulnerability

• UUID enumeration of any kind

• Click-jacking on pages with no sensitive actions

• Open Redirects without demonstrating additional security impact

• Tab-nabbing

Safe Harbor

Any activity conducted respecting this policy will be considered authorised conduct, and we will not initiate any legal action against you.

Legal

If you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a bounty. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.

We, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over a bounty --whether to give one and in what amount-- is a decision that lies entirely within our discretion.

Zenly’s employees, third party assets employees and their family members are not eligible for bounties.

Finally, and needless to say, please do not violate any laws when conducting your tests.