This policy applies only to the following:
New vulnerabilities or previously unreported vulnerabilities are in scope
Any other concerns / issues concerning Zappi
Please do not report the following:
Theoretical exploits with no proof of concepts;
Vulnerabilities of system capacity e.g conducting multiple requests that overwhelm the site;
Weaknesses of Transport Layer Security (TLS) configurations; and / or
Where our systems may not fully align with "best practice" e.g email configuration that may be considered suboptimal.
Reporting a security vulnerability
If you believe you have discovered a vulnerability, hacking attempt or any malicious activity please email firstname.lastname@example.org.
In the email, please include the following details
Please use the following subject heading for the email: Responsible Disclosure;
The location of the vulnerability e.g website / webpage; and
A description of the type and class of vulnerability e.g Cross Site scripting. At this stage please do not include any details that would allow the issue to be replicated. Zappi will make contact with you to share these details over an encrypted channel.
Before reporting a vulnerability we ask you to read this document carefully to ensure that you understand our Responsible Disclosure Policy and are acting in compliance with it.
Reporting any other issues / potential privacy concerns
If you are aware of any other security or privacy concern to Zappi please email email@example.com
At Zappi we make every effort to acknowledge and recognize reporters of qualifying vulnerabilities. Unfortunately at present we do not offer a paid bug bounty program however we do strive to offer some form of appreciation to individuals and security researchers who report vulnerabilities according to this policy. People who report a qualifying vulnerability will receive acknowledgement and recognition from us.
Once you have emailed firstname.lastname@example.org you will receive an email acknowledging your report. Our Information Security Team aims to respond back to you within 24 hours.
When the Information Security Team receives the report, we will work to triage the vulnerability as soon as possible. We will contact you as soon as we can to give feedback on whether the vulnerability had been previously discovered and whether further information and details of the vulnerability will be required from you. Once we have determined the risk clarification of the vulnerability our team will prioritize the vulnerability and address it accordingly.
Once the vulnerability has been resolved / scheduled for resolution we will notify you and ask for confirmation that our identified solution sufficiently covers the vulnerability. During this time we will provide you with an opportunity to give feedback to the team on the vulnerability resolution.
Any information you share with us will be used in the strictest confidence and will be used to help us improve our offering. We will also offer the opportunity to be included in our acknowledgements page to any reporter of a qualifying vulnerability
Guidance for Responsible Disclosure
Security researchers must not
Take actions that may result in privacy violations, degradation of user experience, disruption to production systems and services and destruction of data during security testing;
Access unnecessary amounts of data, in most cases 4 or 5 records are sufficient to demonstrate a vulnerability;
Violate the privacy of Zappi users, employees, contractors or systems
Knowingly post, transmit, upload, link, send or store malicious software on our platform; and
Communicate any vulnerabilities or associated details via processes or methods that are not specified within this document to third parties.
If at any stage you are unsure whether the actions you are planning on taking are acceptable please contact our security team for guidance email@example.com
This policy does not give you permission to act in any manner which is illegal or which will cause Zappi to be in breach of any of its legal obligations, including but not limited to;
The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018;
Copyright, Designs and Patent Act, 1988
For US based security researchers and individuals any actions that are conducted in adherence to this policy will be considered as authorized conduct under the CFFA. Similarly for UK based security researchers and individuals, any actions that are conducted in adherence to this policy will be considered as authorized conduct under the Computer Misuse Act.
We will not seek the prosecution of any security researcher who reports in accordance with this policy and in good faith any security vulnerabilities that are in scope as specified above. In the case of a genuine accidental violation of our Responsible Disclosure Policy, we will also not seek the prosecution of these individuals.
If you would like to provide feedback or suggestions on this policy please contact our security team at firstname.lastname@example.org.