ZOHO - Bug Bounty

At Zoho, keeping customer information safe and secure

is our number one priority

Zoho offers this Vulnerability Reward Program (VRP) to continuously improve the security of our products. If you believe you've discovered a potential security vulnerability in any of Zoho's products or assets, let us know immediately, and we will make every effort to get the issues addressed as quickly as possible.

Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules. Zoho provides monetary rewards to vulnerability reporters at its discretion and the reward may vary upon the metrics including (but, not limited to) vulnerability severity, impact and the exploitability.

You can share details of the suspected vulnerability with Zoho by clicking below; SUBMIT BUG

At ManageEngine, keeping customer information safe and secure

is our number one priority

ManageEngine offers this Vulnerability Reward Program (VRP) to continuously improve the security of our products. If you believe you've discovered a potential security vulnerability in any of ManageEngine's products or assets, let us know immediately, and we will make every effort to get the issues addressed as quickly as possible.

Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules. ManageEngine provides monetary rewards to vulnerability reporters at its discretion and the reward may vary upon the metrics including (but, not limited to) vulnerability severity, impact and the exploitability.

You can share details of the suspected vulnerability with ManageEngine by clicking below; SUBMIT BUG

Program rules

Always use accounts, email addresses, phone numbers that you own for testing our products and only interact with accounts you own
Don't try to gain access to accounts or any data that is not yours
Contact us immediately if you do inadvertently encounter user data that is not yours. Do not view, alter, save, store, transfer, or otherwise access the data. Upon reporting the vulnerability to Zoho, immediately and securely delete any local information
Report the vulnerability upon discovery or as soon as is feasible
Don't perform any activity that would be disruptive, damaging, or harmful to Zoho or its users
Give us reasonable time to respond to the issue before making any information about it public. Don't disclose the details of the issue publicly before they have been resolved
Don't perform social engineering attacks and physical attacks on our infrastructure or facilities
Don't contact any of our Zoho product support handles or email addresses about the status or decision of a bug report
Don't violate any criminal law or other applicable laws

We will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.

Failure to comply with the program rules will result in immediate disqualification from the Zoho Bug Bounty Program and forfeiture of any pending bounty payments.

Please note that we only reward the first reporter of a vulnerability. Vulnerabilities are rewarded only if the minimum severity threshold is met, and rewards are granted entirely at the discretion of Zoho.

There are special cases where a vulnerability may be present in multiple places due to our products sharing the same code base, framework or a deployment instance. Authorization for multiple methods (like create, edit, and delete) could be handled at a single place. In such situations, only one reward will be applicable.

Zoho employees and their family members are excluded from this bug bounty program.

Program rules

Always use your own setup environments, accounts, email addresses, phone numbers and only interact with accounts and setups you own
Don't try to gain access to accounts or any data that is not yours
Report the vulnerability upon discovery or as soon as is feasible
Don't perform any activity that would be disruptive, damaging, or harmful to ManageEngine or its users
Give us reasonable time to respond to the issue. You are required to keep the bug information private for 30 days from the date of patch release, to provide our customers ample time to upgrade their setups
Don't perform social engineering attacks or physical attacks on our customers' or our infrastructure or facilities
Don't contact any of our product support handles or email addresses about the status or decision of a bug report
Don't violate any criminal law or other applicable laws

We will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.

Failure to comply with the program rules will result in immediate disqualification from the ManageEngine Bug Bounty Program and forfeiture of any pending bounty payments.

Please note that we only reward the first reporter of a vulnerability. Vulnerabilities are rewarded only if the minimum severity threshold is met, and rewards are granted entirely at the discretion of ManageEngine.

There are special cases where a vulnerability may be present in multiple places due to our products sharing the same code base, framework or a deployment instance. Authorization for multiple methods (like create, edit, and delete) could be handled at a single place. In such situations, only one reward will be applicable.

ManageEngine employees and their family members are excluded from this bug bounty program.

Reporting a vulnerability

All reports must include concise proof-of-concept (PoC) and clear reproduction steps. Reports with only a PoC video without any textual description may be ineligible for a reward.

Our team will try to triage all reports within three days from the date of submission and priority of remediation is assessed by the severity, scenario and exploit complexity. We will notify you when the reported vulnerability is remediated, and you may confirm that the solution covers the vulnerability adequately.

Reporting a vulnerability

All reports must include concise proof-of-concept (PoC) and clear reproduction steps. Reports with only a PoC video without any textual description may be ineligible for a reward.

Our team will try to triage all reports within five days from the date of submission and priority of remediation is assessed by the severity, scenario and exploit complexity. We will notify you when the reported vulnerability is remediated, and you may confirm that the solution covers the vulnerability adequately..

Scope

All Zoho branded products and applications listed at zoho.com.
All Zoho branded mobile apps.
All Zoho branded client side applications.

Scope

All ManageEngine branded on-premise products listed at manageengine.com.
All ManageEngine branded mobile apps.

Note: ServiceDesk Plus MSP and SupportCenter Plus are temporarily excluded from the scope.

Range

Severity	Low	Medium	High	Critical
Bounty in USD (Up to)	$50	$200	$600	$1500

Range

Severity	Low	Medium	High	Critical
Bounty in USD (Up to)	$50	$200	$600	$1000

Exclusions

Missing any best security practice that is not a vulnerability
Self XSS
Username or email address enumeration
Email bombing
HTML injection
XSS vulnerabilities on sandbox aka user-content domains
Unvalidated aka Open redirects or Tabnabbing
Clickjacking in unauthenticated pages or in pages with no significant state-changing action
Logout or unauthenticated CSRF
Missing cookie flags on non-sensitive cookies
Missing security headers that don't lead directly to a vulnerability
Unvalidated findings from automated tools or scans
"Back" button that keeps working after logout
Issues that don't affect the latest version of modern browsers or platforms
Attacks that require physical access to a user device
Social engineering
Hosting malware/arbitrary content on Zoho and causing downloads
Use of a known-vulnerable library (without evidence of exploitability)
Low-impact descriptive error pages and information disclosures without any sensitive information
Invalid or missing SPF/DKIM/DMARC/BIMI records
Password and account policies, such as (but not limited to) reset link expiration or password complexity
Non-critical issues on blog.zoho.com
CSV injection
Phishing risk via unicode/punycode or RTLO issues
Missing rate limitations on endpoints (without any security concerns)
Presence of EXIF information in file uploads
Ability to upload/download executables
Bypassing pricing/paid feature restrictions
0-day vulnerabilities in any third parties we use within 10 days of their disclosure
Any other issues determined to be of low or negligible security impact

You can still report if you encounter any of the cases in this list that have a significant security impact, and we may acknowledge your contribution in our Hall of Fame.

Exclusions

Missing any best security practice that is not a vulnerability
Issues that don't affect the latest version of applications, modern browsers or platforms
Attacks that require physical access to a user machine/device
Vulnerabilities that resulted from implementation that does not follow our deployment guidelines
Usage of known vulnerable components without actual working exploit
Self XSS
Username or email address enumeration
HTML injection
Open redirection
Logout or unauthenticated CSRF
Missing cookie flags on non sensitive cookies
Missing security headers that don't lead directly to a vulnerability
Unvalidated findings from automated tools or scans
"Back" button that keeps working after logout
Password and account policies, such as (but not limited to) reset link expiration or password complexity
Phishing risk via unicode/punycode or RTLO issues
Missing rate limitations on endpoints (without any security concerns)
Bypassing pricing/paid feature restrictions

The following are some of our intended features or accepted risks (but not limited to), and are not vulnerabilities thus excluded from our program

Applications running as SYSTEM user
Features to execute queries, scripts, workflows by privileged users
Usage of UDP based unauthenticated protocols (can be disabled by the user)

You can still report if you encounter any of the cases in this list that have a significant security impact, and we may acknowledge your contribution in our Hall of Fame.

Bounty Information

We fulfil the bounty payments via
- PayPal (in USD), applicable only for users outside India
- Wire transfer (in INR), applicable only for users in India
- Amazon.com gift card (in USD)
You are responsible for paying any taxes associated with rewards. For Indian recipients, we'll deduct a 7.5% TDS (Tax Deducted at Source) and will pay to your PAN number, which will reflect in your Income Tax form 26AS.
Rewards that go unclaimed after three months will be donated to a charity of Zoho's discretion. The bounty cannot be reclaimed by the awardee after that period.
Individuals who are on sanctions list and who are in countries on a sanctions list are not eligible for rewards.

Contact us

You can reach us by sending an email to security@zohocorp.com. We also welcome your suggestions and feedbacks for improving the program.

Thanks for helping keep Zoho and its users safe!

Bounty Information

We fulfil the bounty payments via
- PayPal (in USD), applicable only for users outside India
- Wire transfer (in INR), applicable only for users in India
- Amazon.com gift card (in USD)
You are responsible for paying any taxes associated with rewards. For Indian recipients, we'll deduct a 7.5% TDS (Tax Deducted at Source) and will pay to your PAN number, which will reflect in your Income Tax form 26AS.
Rewards that go unclaimed after three months will be donated to a charity of ManageEngine's discretion. The bounty cannot be reclaimed by the awardee after that period.
Individuals who are on sanctions list and who are in countries on a sanctions list are not eligible for rewards.

Contact us

You can reach us by sending an email to security@manageengine.com. We also welcome your suggestions and feedbacks for improving the program.

Thanks for helping keep ManageEngine and its users safe!

Note of thanks

We would like to truly thank the people listed in the Hall of Fame for their participation in the program and for making a responsible disclosure of the vulnerabilities.

Hall Of Fame for

Be the first one for this year ! SUBMIT BUG

No Hall of Fame entries this year !

{{user.name}} {{user.name}} {{user.user_contact_info}}