Responsible Disclosure Program(BugHunt)
Zyte is committed to maintaining the security and integrity of our products and services. We value the contributions of security researchers and the broader security community in helping us achieve this goal.
If you believe you have identified a potential security vulnerability in any Zyte product or service, we encourage you to report it to us promptly. Responsible disclosure enables us to investigate, remediate, and protect our users and their data in a timely manner.
At this time, Zyte does not offer financial rewards for the disclosure of security vulnerabilities. However, we are grateful for the efforts of those who help improve our security posture. With your permission, we would be pleased to acknowledge your contribution publicly by listing your name or handle in our Security Researcher Hall of Fame.
We sincerely appreciate your time, expertise, and commitment to responsible vulnerability disclosure.
Bug eligibility overview
Qualifying Bugs
Remote code execution (RCE)
SQL/XXE Injection and command injection
Cross-Site Scripting (XSS)
Server-side request forgery (SSRF)
Misconfiguration issues on servers and application
Authentication and Authorization related issues
Cross-site request forgeries (CSRF)
Non-Qualifying Bugs
Html injection and Self-XSS
Host header and banner grabbing issues
Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,
Missing HTTP security headers and cookie flags on insensitive cookies
Rate limiting, brute force attack
Login/logout CSRF
Session timeout
Unrestricted file upload
Open redirections
Formula/CSV Injection
Vulnerabilities that require physical access to the victim machine.
User enumeration such as User email, User ID, etc.,
Phishing / Spam (including issues related to SPF/DKIM/DMARC)
Vulnerabilities found in third-party services
EXIF data not stripped on images
Domains in scope
The following domains are in scope for Zyte’s bug bounty program.
Security research and responsible disclosure efforts should be focused on these properties.
Please review the list below to ensure your testing activity targets eligible assets only.
zyte.com
app.zyte.com
storage.zyte.com
Disclosure Policy
Our security team will aim to acknowledge your email within 24 hours;
We may take up to 5 days to validate the reported issue;
Actions will be initiated to fix the vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed;
Research should not violate our Privacy Policy, modify/delete data, or, interrupt or degrade our service;
Only interact with accounts you own or with the explicit permission of the account holder;
Perform research only within the scope set out below;
Documenting or publishing the vulnerability details in the public domain is against our responsible disclosure policy; and
Keep information about any vulnerability confidential until the issue is resolved.
Report vulnerability
Please provide the following details on the report
Vulnerability overview
Description and potential impact of the vulnerability;
Reproduction steps and proof of concept
A detailed description of the steps required to reproduce the vulnerability; and where available, a video POC.
Researcher recognition details
Please provide your name/handle and a link for recognition if you would like to be included in our Security Researcher Hall of Fame.
_HFpro5d6k3.png&w=256&q=75)
_E4PyVpfAxa.png&w=256&q=75)
-(1).png&w=1920&q=75)
-(1)_VZGHqxCgXV.png&w=1920&q=75)
