Security Exploit Bounty Program

Mike Knoop
Mike Knoop / January 1, 2018

Check out our bug bounty superheroes in the Hall of Fame!

Responsible Disclosure

Security of user data and communication is of utmost importance to Zapier. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Zapier. Principles of responsible disclosure include, but are not limited to:

  • Access or expose only customer data that is your own.
  • Do not exfiltrate data from our infrastructure (including source code, data backups, configuration files).
  • If you obtain remote access to our system, report your finding immediately. Do not attempt to pivot to other servers or elevate access.
  • Avoid scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site). This includes the spamming of contact forms, support emails, etc.
  • Keep within the guidelines of our Terms of Service.
  • Keep details of vulnerabilities secret until Zapier has been notified and had a reasonable amount of time to fix the vulnerability.
  • In order to be eligible for a bounty, your submission must be accepted as valid by Zapier. We use the following guidelines to determine the validity of requests and the reward compensation offered.

Reproducibility

Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.

Severity

We are interested in security vulnerabilities that can be exploited to gain access to user data. We will only qualify and reward a vulnerability if and only if the bug can be successfully used by itself or in combination with another vulnerability you report to access user data that is not yours. General "bugs" are never qualifying vulnerabilities, and anything that is not an exploit is a general "bug". The exploit must rely only on vulnerabilities of Zapier's systems.

Examples of Qualifying Vulnerabilities

  • Authentication flaws
  • Circumvention of our Platform/Privacy permissions model
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF). This excludes logout CSRF.
  • Server-side code execution

Examples of Non-Qualifying Vulnerabilities

  • Failures to adhere to "best practices" (for example, common HTTP headers, link expiration or password policy)
  • Denial of Service vulnerabilities (DOS)
  • Possibilities to send malicious links to people you know
  • Security bugs in third-party websites that integrate with Zapier
  • Insecure cookies on zapier.com
  • Unbounce subdomain takeover on go.zapier.com
  • Fingerprinting / banner disclosure / server versions on public services
  • Clickjacking reports without a real-world attack scenario that presents a credible impact
  • CSRF on forms that are available to anonymous users (e.g., the contact form) without a real-world attack scenario that presents a credible impact
  • Mixed-content scripts on zapier.com
  • Perceived excessive volumes of sent email (e.g., mail flooding)
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Reverse tabnabbing
  • Disclosure of known public files or directories, (e.g., robots.txt)
  • Username/email enumeration (e.g. login and forgot password page error message)
  • SSL issues (e.g. BEAST, renegotiation, weak ciphers)
  • Github wikis
  • Logout CSRF
  • DNSSEC
  • DNS records
  • Not verifying email at signup
  • Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
  • Spam or social engineering techniques

Subdomains

Generally speaking, most subdomains are in scope. Specifically excluded are:

  • go.zapier.com
  • platform.zapier.com
  • status.zapier.com
  • opens.zapier.com
  • community.zapier.com

Rewards

Only 1 bounty will be awarded per vulnerability. We will not award bounties for known issues.

If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.

We maintain flexibility with our reward system and have no minimum/maximum amount; rewards are based on severity, impact, and report quality.

To receive a reward, you must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria). This is a discretionary program and Zapier reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion.

Rewards are paid through Paypal. They will collect a fee for processing the transaction, which gets deducted from the amount awarded. **Please note that we are unable to provide rewards via any other method.**

Contact

We've created a guideline for writing great bounty submissions. Please take a moment to read it before submitting. If your submission does not include the minimum items listed in the guide, it will be rejected and you will be asked to resubmit.

Please email us at security@zapier.com with any vulnerability reports or questions about the program. Do not send your bounty submissions to any other Zapier email addresses. Please report each new bug in a separate email thread.

Our usual timelines

  • You will receive an acknowledgement of receipt for the submission as soon as we see it. That's usually on the same day you submitted unless you submit on a weekend in which case we will reply on Monday
  • If your submission is a duplicate, a known thing that isn't a bug, or otherwise something we know we won't fix, we will typically reply within two days
  • Issues that are triaged are generally typically done so within 10 days of acknowledging receipt
  • Timelines for fixes will vary with the severity of the vulnerability and availability of engineering resources to address it.
  • We do our best to stay within these timelines, but resource availability and other priorities sometimes make us take a bit longer than these. If we are going to take longer, we'll update you and let you know.

please don't email us repeatedly for a status update. We won't reply to those requests, and will only reply when we have something to tell you. We promise to be in touch as we triage your submissions.