Help us secure ZebPay

• Send it to security@zebpay.com
• Points to consider :
  (Please use English when submitting the report)
  (Add the POC attachments in a Google drive or Dropbox link)
  (Try to be as elaborate of the testing methodology in your report as possible)

The bug report should contain sufficient information pertaining to the bug description, testing methodology used and endpoints in the testing environment. This will help our internal security team to triage the bug faster. 

The following should be added to make it a qualifying bug report : 

• * A clear description of the bug.
• * The specific product version and environment in which the bug was found.
• * Sample Code (if required).

• A member of our staff will get back to you as soon as they receive your report.
• Don’t be afraid to send the report again if you sent it by email and don’t hear back within a few days. This could mean that a spam filter has banned your email.

Bugs must be original and previously unreported in order to qualify for the bounty. The researcher who submitted their report first will receive the bounty if two or more researchers submit the identical bug.

Every software bug is different and requires a different amount of time to triage and resolve, thus we can’t guarantee how long it will take to fix one. We always try to resolve problems as quickly as we can, and we’ll keep you informed every step of the way.

• If you have found a security issue that directly affects a cryptocurrency and/or its components (e.g. blockchain, node, wallet)
• Vulnerabilities that can cause a loss of user’s funds/assets remotely.
• Vulnerabilities that expose private keys or other sensitive data.
• Vulnerabilities in chain-related implementations
• Insecure cryptographic implementation for sensitive functions such as wallet generation, transaction signing etc.
• Business logic issues
• Payments manipulation
• Remote code execution (RCE)
• Database vulnerability, SQLi
• File inclusions (Local & Remote)
• Access Control Issues (IDOR, Privilege Escalation, etc)
• Leakage of sensitive information
• Server-Side Request Forgery (SSRF)
• Other vulnerability with a clear potential loss

• Theoretical vulnerabilities without actual proof of concept
• Links to invalid/expired pages (Only valid if you can demonstrate an actual takeover of an official Zebpay social media account linked to on every page, not just specific past announcements/blog posts)
• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
• CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)
• Assets that do not belong to Zebpay
• Missing security headers that do not lead to direct exploitation
• Exposure of internal IP address or domains
• Internally known issues, duplicate issues, or issues which have already been made public
• Vulnerabilities that require physical access to a user’s device
• Issues that have no security impact (E.g. Failure to load a web page)
• Vulnerabilities only exploitable on out-of-date browsers or platforms
• Email verification deficiencies, expiration of password reset links, and password complexity policies
• Reports from automated tools or scans
• Vulnerabilities related to auto-fill web forms
• Issues related to unsafe SSL/TLS cipher suites or protocol version
• Lack of security flags in cookies
• Any activity (like DoS/DDoS) that disrupts our services
• Email or mobile enumeration (E.g. the ability to identify emails via password reset)
• Vulnerabilities that require root/jailbreak
• Self-XSS
• Cache-control related issues
• Installation Path Permissions
• Use of known vulnerable libraries without actual proof of concept
• Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
• Content spoofing
• Tab-nabbing
• Disclosure of information that does not present a significant risk.
• Clickjacking / UI redressing.
• Issues that require unlikely user interaction.

Our general payout ranges from $100-$1000 depending on the severity of the bug. The payout amount is decided by the Security team at Zebpay and the decision is final from the team.