submit bug report: https://www.zopim.comBUG BOUNTY POLICY
Capitalized terms used in this Bug Bounty Policy and not otherwise defined have the meaning ascribed to such terms in our Master Subscription Agreement.
Zopim aims to keep its Service safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Service, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details.
Zopim will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. We won’t take legal action against, suspend, or terminate access to the Service of those who discover and report security vulnerabilities responsibly. Zopim reserves all of its legal rights in the event of any noncompliance.
Reporting
Share the details of any suspected vulnerabilities with the Zendesk Security Team by filing a report. Please do not publicly disclose these details outside of this process without explicit permission. In reporting any suspected vulnerabilities, please include the following information:
Vulnerable URL - the endpoint where the vulnerability occurs;
Vulnerable Parameter - if applicable, the parameter where the vulnerability occurs;
Vulnerability Type - the type of the vulnerability;
Steps to Reproduce - step-by-step information on how to reproduce the issue
Screenshots or Video - a demonstration of the attack; and
Attack Scenario - an example attack scenario may help demonstrate the risk and get your issue resolved faster.
Reports that carry an acceptable risk but demonstrate a valid security-related behavior will be closed as informative. Submissions that don’t present a security risk, are false positives, or are out of scope will be closed as N/A. (Please note that the scope is outlined below.)
Identical reports will be marked as “Duplicate
” of the original submission; the original report can be marked as (but not limited) to “Triaged”, “N/A”, or “Informative.”
More information on a proper submission, report states, and acceptable reporting behavior, can be found on linked Hackerone’s articles.
Testing Exclusion
In no event are you permitted to access, download or modify data residing in any other Account, or one that is not registered to you.
You are also prohibited from:
Executing or attempting to execute any Denial of Service attack.
Knowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.
Attempting to social engineer support staff.
Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages.
Testing in a manner that would degrade the operation of the Service.
Testing or otherwise accessing or using the Service from any jurisdiction that is a Prohibited Jurisdiction.
Testing third party applications or websites or services that integrate with or link to the Service.
Bounty Ineligible Issues
The following items are known issues or accepted risks where we will not reward you:
Brute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.
Clickjacking.
Content spoofing issues without branding CSS.
Cookie flags.
Covert Redirects.
Issue where the fix only requires a text change.
Login/Logout CSRF
Malicious attachments on file uploads or attachments.
Missing additional security controls, such as HSTS or CSP headers
Mobile issues that require a Rooted or Jailbroken device.
Password recovery policies, such as reset link expiration or password complexity
Reflected File Download (this may be rewarded in the future, but is currently out of scope)
SPF, DKIM, DMARC issues.
XSS (or a behavior) where you can only attack yourself
XSS on pages where admins are intentionally given full HTML editing capabilities, such as custom theme editing
Our Commitment
If you identify a verified security vulnerability in compliance with this Bug Bounty Policy, Zopim commits to:
Acknowledge receipt of your vulnerability report in a timely manner;
Notify you when the vulnerability is fixed; and
Publicly thank you for your responsible disclosure and helping us keep our customers safe.
Scope
You may test only against a Zopim Account for which you are the Account Owner or an Agent authorized by the Account Owner to conduct such testing. The following Zopim applications are in-scope:
*.zopim.com
Zopim mobile applications on Android and iOS
