Zolostays Bug Bounty Program

Zolo Engineers Work hard to make our products safe for our customers. We Invite reports from independent security researchers about possible security vulnerabilities with our products

Bug bounty program is paused from Dec 1, 2021 to Feb 28, 2022. Please check this page for any future updates

Guidelines for submitting the vulnerabilities

Don’t attempt to gain access to another user’s account or data.
Don’t perform any attack that could harm the reliability/integrity of our services or data.
DDoS/spam attacks are not allowed.
Don’t publicly disclose a bug before it has been fixed.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Please submit bugs with POC to email address[email protected]

Hall of Fame

Mohith Kalyan
Sudhanshu Chauhan
Tinu Tomy
Vishal Yadav
Mansouri Badis
Saikat Banerjee
Shahrukh Iqbal Mirza
Devender Rao
Akhil Jain
Erik
Sai Ram Ganji
Chakka Sai Teja
Anurag Verma
Mohith Kalyan
Sudhanshu Chauhan
Tinu Tomy
Vishal Yadav
Mansouri Badis
Saikat Banerjee
Shahrukh Iqbal Mirza
Devender Rao
Akhil Jain
Erik
Sai Ram Ganji
Chakka Sai Teja
Anurag Verma

Eligibility for the reward

The security bug must be original and previously unreported.
You must not be an employee, contractor, or otherwise, have a business relationship with Zolo
We should be able to reproduce the bug.
It is entirely at our discretion to decide whether a bug is significant enough to be eligible for a reward.

Vulnerabilities eligible

Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Code Executions
SQL injections
Server Side Request Forgery (SSRF)
Privilege Escalations
Authentication Bypasses
File inclusions (Local & Remote)
Protection Mechanism bypasses (CSRF bypass, etc.)
Leakage of sensitive data
Directory Traversal
Payment manipulation
Administration portals without an authentication mechanism
Open redirects which allow stealing tokens/secrets

Vulnerabilities not eligible

Clickjacking
Application stack traces (Path disclosures, etc.)
Self-type Cross Site Scripting / Self-XSS
Vulnerabilities that require Man in the Middle (MiTM) attacks
Denial of Service attacks
CSRF issues on actions with minimal impact
Cache Poisoning
Missing SPF records
Brute force attacks
zolo_logo
Corporate Office
No. 1190, 22nd Cross,
HSR Layout, Sector 3
Bangalore, Karnataka
India - 560102
Contact Us
phone_icon
+91 88801 08010
Stay In Touch
FBYouTubeLinkedInInstagram