Note before you post a BUG
- Provide details of the vulnerability including information needed to reproduce and validate the vulnerability and also provide a Proof of Concept (POC)
- Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services
- Do not modify or access data that does not belong to you
- Give us a reasonable time to correct the issue before making any information public
- We would also request you not to consider any social engineering or denial of service type of attack in the scope of white hat testing
Domains and Applications within the scope of the program
- All the applications listed in our zoho.com website - *.zoho.com
- All Zoho branded mobile apps and client side applications
Rewards
- Bounty will be awarded at the discretion of Bug Bounty Panel
- Only one bounty per security bug will be awarded and previously reported vulnerabilities will not be rewarded
- If you choose to donate the bounty to a recognized charity, we will match your donation (subject to our discretion) so that the charity gets double the bounty amount.
- Rewards are paid only to individuals.
- Rewards that go unclaimed after 3 months will be donated to a charity of Zoho's discretion. Thus the bounty cannot be reclaimed by the awardee after that period.
- Individuals who are on sanctions list and who are in countries on sanctioned list are not eligible
- We will acknowledge your contribution in our 'Hall of Fame' unless you would prefer to remain anonymous
Qualifying Vulnerabilities
- Injection attacks
- Cross-Site Scripting (XSS)
- Remote Code Execution (RCE)
- Cross-Site Request Forgery (CSRF)
- Broken Authentication
- Authorization Flaws / Privilege Escalation
- Directory Traversal
- Sensitive Information leaks or disclosure
Non Qualifying Vulnerabilities
- Self XSS
- Username or email address enumeration
- Content spoofing / Text injection
- XSS vulnerabilities on sandbox domains
- Unvalidated / Open Redirects
- Clickjacking on unauthenticated pages or on cases with no state-changing action
- Login/Logout/Unauthenticated CSRF
- Missing cookie flags on non sensitive cookies
- Missing security headers which do not lead directly to a vulnerability
- Reports from automated tools or scans
- Vulnerabilities affecting users of outdated or unsupported browsers or platforms
- Attacks requiring physical access to a user device
- Social engineering
- Low impact descriptive error pages and information disclosures without any sensitive information
- Invalid or missing SPF/DMARC records
- Password and account policies, such as reset link expiration or password complexity
- HTML Injection
- Wordpress XML-RPC exposure
- Missing rate limitations on endpoints (without any security concerns)
* Note : You can still file these vulnerabilities which have high exploitability with valid PoC and be eligible for Points / Hall of Fame Spot based on the discretion of our Bounty Panel.
Note of thanks
We would like to truly thank the people listed in the Hall of Fame for their participation in the program and for making a responsible disclosure of the vulnerabilities.
Hall Of Fame for-
{{user.name}} {{user.user_contact_info}}
Be the first one for this year !
SUBMIT BUG
No Hall of Fame entries this year !