Responsible disclosure policy

Zyte values the assistance of security researchers to assist in keeping our systems secure. If you believe you've found a security issue in our product or service, we encourage you to notify us. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users.

While Zyte does not provide any financial reward for responsibly disclosing vulnerabilities we would like to publicly convey our appreciation to you. With your consent, we will publish your name/handle in our Security Researcher Hall of Fame.

We really appreciate your time and effort in responsibly disclosing a vulnerability.

Disclosure Policy

Please contact bughunt@zyte.com, if you have found any potential vulnerability in our products meeting the criteria mentioned in the policy below;
Our security team will aim to acknowledge your email within 24 hours;
We may take up to 5 days to validate the reported issue;
Actions will be initiated to fix the vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed;
Research should not violate our Privacy Policy, modify/delete data, or, interrupt or degrade our service;
Only interact with accounts you own or with the explicit permission of the account holder;
Perform research only within the scope set out below;
Documenting or publishing the vulnerability details in the public domain is against our responsible disclosure policy; and
Keep information about any vulnerability confidential until the issue is resolved.

Reporting Guidelines

Please provide the following details on the report

Description and potential impact of the vulnerability;
A detailed description of the steps required to reproduce the vulnerability; and
Where available, a video POC.
Please provide your name/handle and a link for recognition if you would like to be included in our Security Researcher Hall of Fame

Domains in Scope

zyte.com
app.zyte.com
storage.zyte.com

Qualifying Bugs

Remote code execution (RCE)
SQL/XXE Injection and command injection
Cross-Site Scripting (XSS)
Server-side request forgery (SSRF)
Misconfiguration issues on servers and application
Authentication and Authorization related issues
Cross-site request forgeries (CSRF)

Non-Qualifying Bugs

Html injection and Self-XSS
Host header and banner grabbing issues
Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,
Missing HTTP security headers and cookie flags on insensitive cookies
Rate limiting, brute force attack
Login/logout CSRF
Session timeout
Unrestricted file upload
Open redirections
Formula/CSV Injection
Vulnerabilities that require physical access to the victim machine.
User enumeration such as User email, User ID, etc.,
Phishing / Spam (including issues related to SPF/DKIM/DMARC)
Vulnerabilities found in third-party services
EXIF data not stripped on images