Program rules

  • Always use accounts, email addresses, phone numbers that you own for testing our products and only interact with accounts you own.
  • Do not try to gain access to accounts or any data that is not yours.
  • Contact us immediately if you do inadvertently encounter user data that is not yours. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately securely delete any local information upon reporting the vulnerability to Zoho.
  • Report the vulnerability upon discovery or as soon as is feasible.
  • Do not perform any activity that would be disruptive, damaging or harmful to Zoho or its users.
  • Give us a reasonable time to respond to the issue before making any information about it public; Do not disclose the details of the issue publicly before they have been resolved.
  • Do not contact any of our Zoho product support handles or email addresses about the status or decision of a bug report.
  • Do not violate any criminal law or other applicable laws.



  • We will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.

  • Failure to comply with the program rules will result in immediate disqualification from the Zoho Bug Bounty Program and forfeiture of any pending bounty payments.

  • Please note that we only reward the first reporter of a vulnerability. Vulnerabilities are rewarded only if the minimum severity threshold is met, and rewards are granted entirely at the discretion of Zoho.

  • There are special cases where a vulnerability may be present in multiple places due to our products sharing the same code base, framework or a deployment instance. Authorization for multiple methods (like create, edit, and delete) could be handled at a single place. In such situations, only one reward will be applicable.

  • Zoho employees and their family members are excluded from this bug bounty program.

Program rules

  • Always use your own setup environments, accounts, email addresses, phone numbers and only interact with accounts and setups you own.
  • Do not try to gain access to setups/accounts or any data that is not yours.
  • Report the vulnerability upon discovery or as soon as is feasible.
  • Do not perform any activity that would be disruptive, damaging or harmful to ManageEngine or its users.
  • Give us a reasonable time to respond to the issue; You are required to keep the bug information private for 30 days from the date of patch release, to provide our customers ample time to upgrade their setups.
  • Do not perform social engineering attacks or physical attacks on our customers' or our infrastructure / facilities.
  • Do not contact any of our product support handles or email addresses about the status or decision of a bug report.
  • Do not violate any criminal law or other applicable laws.



  • We will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.

  • Failure to comply with the program rules will result in immediate disqualification from the ManageEngine Bug Bounty Program and forfeiture of any pending bounty payments.

  • Please note that we only reward the first reporter of a vulnerability. Vulnerabilities are rewarded only if the minimum severity threshold is met, and rewards are granted entirely at the discretion of ManageEngine.

  • There are special cases where a vulnerability may be present in multiple places due to our products sharing the same code base, framework or a deployment instance. Authorization for multiple methods (like create, edit, and delete) could be handled at a single place. In such situations, only one reward will be applicable.

  • ManageEngine employees and their family members are excluded from this bug bounty program.

Reporting a vulnerability

  • All reports must include concise proof-of-concept (PoC) and clear reproduction steps. Reports with only a PoC video without any textual description may be ineligible for a reward.

  • Our team will try to triage all reports within 3 days from the date of submission and priority of remediation is assessed by the severity, scenario and exploit complexity. We will notify you when the reported vulnerability is remediated, and you may confirm that the solution covers the vulnerability adequately.

Reporting a vulnerability

  • All reports must include concise proof-of-concept (PoC) and clear reproduction steps. Reports with only a PoC video without any textual description may be ineligible for a reward.

  • Our team will try to triage all reports within 5 days from the date of submission and priority of remediation is assessed by the severity, scenario and exploit complexity. We will notify you when the reported vulnerability is remediated, and you may confirm that the solution covers the vulnerability adequately..

Scope

  • All Zoho branded products and applications listed at zoho.com.
  • All Zoho branded mobile apps.
  • All Zoho branded client side applications.

Scope

  • All ManageEngine branded on-premise products listed at manageengine.com.
  • All ManageEngine branded mobile apps.

  • Note: ServiceDesk Plus MSP and SupportCenter Plus are temporarily excluded from the scope.

Range

Severity Low Medium High Critical
Bounty (Up to) $50 $200 $600 $1500

Range

Severity Low Medium High Critical
Bounty (Up to) $50 $200 $600 $1000

Exclusions

  • Missing any best security practice that is not a vulnerability
  • Self XSS
  • Username or email address enumeration
  • Email bombing
  • HTML injection
  • XSS vulnerabilities on sandbox aka user-content domains
  • Unvalidated aka Open redirects or Tabnabbing
  • Clickjacking in unauthenticated pages or in pages with no significant state-changing action
  • Logout or unauthenticated CSRF
  • Missing cookie flags on non sensitive cookies
  • Missing security headers which do not lead directly to a vulnerability
  • Unvalidated findings from automated tools or scans
  • "Back" button that keeps working after logout
  • Issues that do not affect the latest version of modern browsers or platforms
  • Attacks that require physical access to a user device
  • Social engineering
  • Hosting malware/arbitrary content on Zoho and causing downloads
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Low impact descriptive error pages and information disclosures without any sensitive information
  • Invalid or missing SPF/DKIM/DMARC/BIMI records
  • Password and account policies, such as (but not limited to) reset link expiration or password complexity
  • Non critical issues in blog.zoho.com
  • CSV injection
  • Phishing risk via unicode/punycode or RTLO issues
  • Missing rate limitations on endpoints (without any security concerns)
  • Presence of EXIF information in file uploads
  • Ability to upload/download executables
  • Bypassing pricing/paid feature restrictions
  • 0-day vulnerabilities in any third parties we use within 10 days of their disclosure
  • Any other issues determined to be of low or negligible security impact

  • You can still report if you encounter any of the cases in this list that has a significant security impact, and we may acknowledge your contribution in our Hall of Fame.

Exclusions

  • Missing any best security practice that is not a vulnerability
  • Issues that do not affect the latest version of applications, modern browsers or platforms
  • Attacks that require physical access to a user machine/device
  • Vulnerabilities that resulted from implementation that does not follow our deployment guidelines
  • Usage of known vulnerable components without actual working exploit
  • Self XSS
  • Username or email address enumeration
  • HTML injection
  • Open redirection
  • Logout or unauthenticated CSRF
  • Missing cookie flags on non sensitive cookies
  • Missing security headers which do not lead directly to a vulnerability
  • Unvalidated findings from automated tools or scans
  • "Back" button that keeps working after logout
  • Password and account policies, such as (but not limited to) reset link expiration or password complexity
  • Phishing risk via unicode/punycode or RTLO issues
  • Missing rate limitations on endpoints (without any security concerns)
  • Bypassing pricing/paid feature restrictions


  • The following are some of our intended features or accepted risks (but not limited to), and are not vulnerabilities thus excluded from our program

  • Applications running as SYSTEM user
  • Features to execute queries, scripts, workflows by privileged users
  • Usage of UDP based unauthenticated protocols (can be disabled by the user)


  • You can still report if you encounter any of the cases in this list that has a significant security impact, and we may acknowledge your contribution in our Hall of Fame.

Bounty Information

  • We fulfil the bounty payments via
    • PayPal (in USD), applicable only for users outside India
    • Wire transfer (in INR), applicable only for users in India
    • Amazon.com gift card (in USD)
  • You are responsible for paying any taxes associated with rewards. For Indian recipients, we'll deduct a 7.5% TDS (Tax Deducted at Source) and will be paid to your PAN number, which will reflect in your Income Tax form 26AS.
  • If you choose to donate the bounty to a recognized charity, we will match your donation, so that the charity gets double the bounty amount.
  • Rewards that go unclaimed after 3 months will be donated to a charity of Zoho's discretion. The bounty cannot be reclaimed by the awardee after that period.
  • Individuals who are on sanctions list and who are in countries on sanctioned list are not eligible for rewards.

Feedback

  • If you have suggestions for improving this program, please let us know at security@zohocorp.com.

Thanks for helping keep Zoho and its users safe!

Bounty Information

  • We fulfil the bounty payments via
    • PayPal (in USD), applicable only for users outside India
    • Wire transfer (in INR), applicable only for users in India
    • Amazon.com gift card (in USD)
  • You are responsible for paying any taxes associated with rewards. For Indian recipients, we'll deduct a 7.5% TDS (Tax Deducted at Source) and will be paid to your PAN number, which will reflect in your Income Tax form 26AS.
  • If you choose to donate the bounty to a recognized charity, we will match your donation, so that the charity gets double the bounty amount.
  • Rewards that go unclaimed after 3 months will be donated to a charity of ManageEngine's discretion. The bounty cannot be reclaimed by the awardee after that period.
  • Individuals who are on sanctions list and who are in countries on sanctioned list are not eligible for rewards.

Feedback

  • If you have suggestions for improving this program, please let us know at security@manageengine.com.

Thanks for helping keep ManageEngine and its users safe!

Note of thanks

We would like to truly thank the people listed in the Hall of Fame for their participation in the program and for making a responsible disclosure of the vulnerabilities.

Hall Of Fame for