Hack and Take the Cash !

717 bounties in database



1.Provide details of the vulnerability including information needed to reproduce and validate the vulnerability and also provide a Proof of Concept (POC)
2.Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services
3.Do not modify or access data that does not belong to you
Give us a reasonable time to correct the issue before making any information public
4.We would also request you not to consider any social engineering or denial of service type of attack in the scope of white hat testing

Domains and Applications within the scope of the program

* All the applications listed in our zoho.com website - *.zoho.com
* All Zoho branded mobile apps and client side applications


* Bounty will be awarded at the discretion of Bug Bounty Panel
* Only one bounty per security bug will be awarded and previously reported vulnerabilities will not be rewarded
* If you choose to donate the bounty to a recognized charity, we will match your donation (subject to our discretion) so that the charity gets double the bounty amount.
* Rewards are paid only to individuals.
* Rewards that go unclaimed after 3 months will be donated to a charity of Zoho's discretion. Thus the bounty cannot be reclaimed by the awardee after that period.
* Individuals who are on sanctions list and who are in countries on sanctioned list are not eligible
* We will acknowledge your contribution in our 'Hall of Fame' unless you would prefer to remain anonymous

Qualifying Vulnerabilities

* Injection attacks
* Cross-Site Scripting (XSS)
* Remote Code Execution (RCE)
* Cross-Site Request Forgery (CSRF)
* Broken Authentication
* Authorization Flaws / Privilege Escalation
* Directory Traversal
* Sensitive Information leaks or disclosure

Non Qualifying Vulnerabilities

* Self XSS
* Username or email address enumeration
* Content spoofing / Text injection
* XSS vulnerabilities on sandbox domains
* Unvalidated / Open Redirects
* Clickjacking on unauthenticated pages or on cases with no state-changing action
* Login/Logout/Unauthenticated CSRF
* Missing cookie flags on non sensitive cookies
* Missing security headers which do not lead directly to a vulnerability
* Reports from automated tools or scans
* Vulnerabilities affecting users of outdated or unsupported browsers or platforms
* Attacks requiring physical access to a user device
* Social engineering
* Low impact descriptive error pages and information disclosures without any sensitive information
* Invalid or missing SPF/DMARC records


Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2016