Reporting Format

• Send your report to security@zebpay.com.
• Description of the issue, potential impact of the vulnerability along with details of the mobile device (Make and Model) and browser used for the website vulnerability.
• A detailed description of the steps required to reproduce the vulnerability with suitable snapshots and video(s).

Out of Scope

• Any targets besides the ones mentioned above.
• All third party applications used at ZebPay
• The ZebPay static website (www.zebpay.com)

Rules

• Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.
• Please do not test for spam, social engineering or denial of service issues.
• Your testing must not violate any law, or disrupt or compromise any data that is not your own..
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
• In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

• Balance Manipulation
• User Account Take over
• Cross-site Scripting (XSS)
• Balance Manipulation
• User Account Take over
• Cross-site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Server-Side Request Forgery (SSRF)
• SQL Injection
• Server-Side Remote Code Execution (RCE)
• XML External Entity Attacks (XXE)
• Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
• Exposed Administrative Panels that don't require login credentials
• Directory Traversal Issues
• Local File Disclosure (LFD) and Remote File Inclusion (RFI)
• Payments Manipulation
• Server-side code execution
• Other best practices or defence in depth
• Gaining access to any of our servers
• Leakage of PII Information of individual or other users.

Non-Qualifying vulnerabilities

• Social engineering attempts on our staff including phishing emails
• Shared links leaked through the system clipboard.
• Any URIs leaked because a malicious app has permission to view URIs opened
• Absence of certificate pinning
• Absence of Root/Jail-broken Detection
• Absence of code obfuscation
• Sensitive data in URLs/request bodies when protected by TLS
• User data stored unencrypted on external storage and private directory.
• Lack of obfuscation techniques
• Use of outdated software / library versions.
• Application Configuration hard-coded/recoverable in apk
• Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes
• Lack of binary protection control in both application binaries
• Lack of Exploit mitigation i.e., PIE, ARC, or Stack Canaries
• Path disclosure in the binary
• Snapshot/Pasteboard leakage
• Run-time hacking exploits (exploits only possible in a jail-broken/rooted environment)
• Reports from automated tools or scans (without accompanying demonstration of exploitability)
• Bypassing client-side control mechanism through cycript/Frida/Smali debugger are considered to be known vulnerabilities, post-bypass if there is any impact on users account then it will be reviewed by the internal product security team
• Direct result WPScan --enumerate u, without verifying the users.
• Clickjacking is out of scope unless it has an impact on users data.
• Signing up with multiple accounts to abuse invite/promo code usage.
• Invite / Promo code enumeration or collection.

Reward Guidelines

• Every valid security bug qualifies for rewards based on the severity of the identified bug. The severity of the bug, and the corresponding reward depends on the criticality of the issue and will be determined at the sole discretion of our security team. All changes to the code and/or to the configuration ensures an entry to our Hall of Fame. All changes with higher severity levels get further rewarded with a SWAG or cash payouts (as per the below table) of up to $1000 depending on the severity of the bug as well as its immediate effect on the ZebPay infrastructure.

Reward Guidelines

• Confidentiality is very important to us at ZebPay and we will keep all information related to any disclosure, confidential.
• In order to protect customer privacy, ZebPay does request that you not post or share information about a potential and unverified bug / vulnerability on any public platform. In case of any unverified public disclosures, ZebPay reserves the right to initiate legal proceedings against individuals.