At Zenly, we look forward to fostering new relationships with the security
researcher community. Our security team reviews all vulnerability reports and
acts upon them in accordance with responsible disclosure
. As a general rule,
we will acknowledge and validate your submission within 30 days (usually in
less) and remediate critical and high severity submissions within 90 days.
This program is limited to Zenly’s applications and websites listed below:
Core applications and websites:
- Zenly’s current mobile application for iOS and Android .
Zenly’s primary APIs
Given our threat model, Zenly is particularly interested in
- Security vulnerability testing for our mobile apps and API endpoints as per above.
- Compromising App based chat services.
- SMS Toll Fraud for account sign-up, if this can be done through a proven automated mechanism.
- Altering or faking user location (from within the application and not using a third party application acting at the OS level).
Zenly Test Guidelines:
- Create an account for Zenly using your phone number with our account sign-up flow
- You may want to use a non-primary phone number for testing
- Zen.ly requires location and notification services to be enabled for the app to work, make sure to enable them. To test full functionality, you can invite friends by phone number, enable access to your phone book/contacts or invite via the “bump” feature with two phones physically.
- Do not access user personal information. If you accidentally access user personal information, please stop testing and submit the vulnerability.
- Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
- Do not degrade the Zenly user experience, disrupting production systems, or destroy data during security testing.
- Perform research only within the scope defined above.
- Use the HackerOne report submission form to report vulnerability information to us.
- Collect only the information necessary to demonstrate the vulnerability.
- Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the HackerOne submission form (do not use third party file sharing sites).
- When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
To qualify for a reward under this program, you must:
- Be the first to report a specific vulnerability.
- Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.
- Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we address your report shall forfeit the reward.
- Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.
Non-qualifying vulnerabilities and exclusions:
- Social engineering attempts on our staff including phishing emails
- Vulnerabilities in a vendor we integrate with (e.g Google or any SMS provider)
- Use of automated tools that could generate significant traffic and possibly impair the functioning of our application
- Reports solely indicating a lack of a possible security defense such as certificate pinning. We constantly make security improvements to our product offering.
- Clear storage of 3rd party API keys for services that do not offer a secure method of key storage.
- Attacks that require physical access to or modification of hardware are not in scope
- Zenly's email configuration and DNS (SPF, DMARC, DKIM)
- Github set up related issue (e.g. Wiki configuration)
Additionally, the following reports do not qualify for a reward:
- Lack of password login and logout, this is by design at this time.
- Local access to user data when operating a rooted or jailbroken mobile device.
- Attacks that require physical access to a user unlocked device.
If you’re on a sanctions list, or live in a country that’s on a sanctions
list, we cannot give you a reward. Keep in mind that your citizenship and
residency may affect whether you owe taxes on any reward you receive, and you
alone are responsible for paying those taxes.
We, of course, reserve the right to cancel or modify this program at any time.
And the ultimate decision over an award --whether to give one and in what
amount-- is a decision that lies entirely within our discretion.
Finally, and needless to say, please do not violate any laws when conducting
This program crawled on the 2019-12-07 is sorted as bounty.