Responsible disclosure policy

Zyte values the assistance of security researchers to assist in keeping our systems secure. If you believe you've found a security issue in our product or service, we encourage you to notify us. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users.

While Zyte does not provide any financial reward for responsibly disclosing vulnerabilities we would like to publicly convey our appreciation to you. With your consent, we will publish your name/handle in our Security Researcher Hall of Fame.

We really appreciate your time and effort in responsibly disclosing a vulnerability.

Disclosure Policy

  • Please contact bughunt@zyte.com, if you have found any potential vulnerability in our products meeting the criteria mentioned in the policy below;
  • Our security team will aim to acknowledge your email within 24 hours;
  • We may take up to 5 days to validate the reported issue;
  • Actions will be initiated to fix the vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed;
  • Research should not violate our Privacy Policy, modify/delete data, or, interrupt or degrade our service;
  • Only interact with accounts you own or with the explicit permission of the account holder;
  • Perform research only within the scope set out below;
  • Documenting or publishing the vulnerability details in the public domain is against our responsible disclosure policy; and
  • Keep information about any vulnerability confidential until the issue is resolved.

Reporting Guidelines

Please provide the following details on the report

  • Description and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability; and
  • Where available, a video POC.
  • Please provide your name/handle and a link for recognition if you would like to be included in our Security Researcher Hall of Fame

Domains in Scope

  • zyte.com
  • app.zyte.com
  • storage.zyte.com

Qualifying Bugs

  • Remote code execution (RCE)
  • SQL/XXE Injection and command injection
  • Cross-Site Scripting (XSS)
  • Server-side request forgery (SSRF)
  • Misconfiguration issues on servers and application
  • Authentication and Authorization related issues
  • Cross-site request forgeries (CSRF)

Non-Qualifying Bugs

  • Html injection and Self-XSS
  • Host header and banner grabbing issues
  • Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,
  • Missing HTTP security headers and cookie flags on insensitive cookies
  • Rate limiting, brute force attack
  • Login/logout CSRF
  • Session timeout
  • Unrestricted file upload
  • Open redirections
  • Formula/CSV Injection
  • Vulnerabilities that require physical access to the victim machine.
  • User enumeration such as User email, User ID, etc.,
  • Phishing / Spam (including issues related to SPF/DKIM/DMARC)
  • Vulnerabilities found in third-party services
  • EXIF data not stripped on images

Exclusions

While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Zyte staff or contractors
  • Any physical attempts against Zyte property or data centers

Thank you for helping keep Zyte and our users safe!

Hall of Fame

2023

Faizan Ahmed linkedin.com/in/faizan-ahmed-830444236

2020

xyele - github.com/xyele
Steffin Stanly - twitter.com/SteffinStanly
Teena Vijay

Gaurang maheta https://www.linkedin.com/in/gaurang-mehta-35515a162