Banner object (1)

Hack and Take the Cash !

805 bounties in database
  Back Link to program      
07/12/2019
Zenly logo
Thanks
Gift
Hall of Fame
Reward

Reward

Zenly

At Zenly, we look forward to fostering new relationships with the security researcher community. Our security team reviews all vulnerability reports and acts upon them in accordance with responsible disclosure __. As a general rule, we will acknowledge and validate your submission within 30 days (usually in less) and remediate critical and high severity submissions within 90 days.

Scope

This program is limited to Zenly’s applications and websites listed below:

Core applications and websites:

Zenly’s primary APIs

  • api.znly.co
  • rpc.znly.co
  • zen.ly

Threat Model:

Given our threat model, Zenly is particularly interested in

  • Security vulnerability testing for our mobile apps and API endpoints as per above.
  • Compromising App based chat services.
  • SMS Toll Fraud for account sign-up, if this can be done through a proven automated mechanism.
  • Altering or faking user location (from within the application and not using a third party application acting at the OS level).

Zenly Test Guidelines:

  • Create an account for Zenly using your phone number with our account sign-up flow
  • You may want to use a non-primary phone number for testing
  • Zen.ly requires location and notification services to be enabled for the app to work, make sure to enable them. To test full functionality, you can invite friends by phone number, enable access to your phone book/contacts or invite via the “bump” feature with two phones physically.
  • Do not access user personal information. If you accidentally access user personal information, please stop testing and submit the vulnerability.
  • Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
  • Do not degrade the Zenly user experience, disrupting production systems, or destroy data during security testing.
  • Perform research only within the scope defined above.
  • Use the HackerOne report submission form to report vulnerability information to us.
  • Collect only the information necessary to demonstrate the vulnerability.
  • Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the HackerOne submission form (do not use third party file sharing sites).
  • When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.

Eligibility

To qualify for a reward under this program, you must:

  • Be the first to report a specific vulnerability.
  • Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.
  • Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we address your report shall forfeit the reward.
  • Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.

Non-qualifying vulnerabilities and exclusions:

  • Social engineering attempts on our staff including phishing emails
  • Vulnerabilities in a vendor we integrate with (e.g Google or any SMS provider)
  • Use of automated tools that could generate significant traffic and possibly impair the functioning of our application
  • Reports solely indicating a lack of a possible security defense such as certificate pinning. We constantly make security improvements to our product offering.
  • Attacks that require physical access to or modification of hardware are not in scope
  • Zenly's email configuration and DNS (SPF, DMARC, DKIM)
  • Github set up related issue (e.g. Wiki configuration)

Additionally, the following reports do not qualify for a reward:

  • Lack of password login and logout, this is by design at this time.
  • Local access to user data when operating a rooted or jailbroken mobile device.
  • Attacks that require physical access to a user unlocked device.

Legal

If you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.

We, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over an award --whether to give one and in what amount-- is a decision that lies entirely within our discretion.

Finally, and needless to say, please do not violate any laws when conducting your tests.

In Scope

Scope Type Scope Name
web_application

zen.ly

web_application

rpc.znly.co

web_application

rpc-kcp.znly.co

web_application

api.znly.co

web_application

app.zenly.locator

web_application

com.alertus.zenly

web_application

https://play.google.com/store/apps/details?id=app.zenly.locator&hl=en_US __

web_application

https://itunes.apple.com/us/app/zenly-best-friends-only/id838848566?mt=8 __


This program crawled on the 2019-12-07 is sorted as bounty.

FireBounty © 2015-2020

Legal notices