zSecurity Community

Minimum Bounty: $50 Category: Accounts, CMS, Ecommerce, Payments

Overview

zSecurity is a leading provider of ethical hacking and cyber security training, we teach hacking and security to help people test and secure systems from black-hat hackers.


Scope

Currently, only the main zSecurity community website zsecurity.org is included within the scope.

All subdomains on the zsecurity.org are also included (*.zsecurity.org).


Important

Do NOT run automated scans with tools like ZAP, Burp Scanner, Acunetix and such. You will not be awarded a bounty if we detect that you used automated tools even if you report a valid bug!


Out of scope

All domains/subdomains/subnets not explicitly stated as in scope are considered out of scope.

The following vulnerabilities are considered out of scope:

  • Social engineering attacks.
  • Brute-force / dictionary attacks.
  • Non-sensitive Clickjacking.
  • Non-sensitive CSRF (login / logout).
  • Vulnerabilities without a POC (Proof of Concept).
  • Physical access dependent attacks.
  • MITM dependent attacks.
  • Best practices in SSL/TLS configuration, implementations….etc
  • Industry standards and policies.
  • Disruption of the service or to the website (for example, DoS attacks, mass scans …etc).
  • Rate-limiting issues.
  • Automated reports from tools like nmap, Nessus …etc.

Submission

Please ensure the submitted vulnerabilities / bugs are reproducible.

Provide as much information as possible and add screenshots when needed. Clear reports get validated quicker, and therefore you’ll get your bounty faster.


Disclosure

Do not share any information / data related to the tests you carry out without permission from zSecurity.


Bounty Rewards

  • Low          –     $50
  • Medium  –     $200
  • High.       –     $600
  • Critical.   –    $1000

Range Scale

Submitted reports will first be reviewed by a member of the Bug-Bounty.com team to validate it, determine its servility and suggest an appropriate bounty to the program creator. The report will only become visible to the program creator once they reward you. Bug-Bounty.com reserves the right to make the final decision on the severity of the submitted bugs and their worth. To give you an idea, below are some common vulnerabilities and the categories they usually fall under.

Please note this list is not exhaustive. It is up to the reviewer to decide the category the discovered bug falls under. Depending on the actual bug a low vulnerability can be deemed high and vice versa.

  • Low:       
    • Minor information disclosures.
    • Broken session management.
    • Non dangerous CSRF.
    • HTML injection.
    • Open redirect.
    • DOM XSS.

 

  • Medium:
    • Broken session management.
    • Sensitive information disclosures.
    • Dangerous CSRF.
    • Invalidated redirects.
    • Reflected XSS

 

  • High:
    • Vulnerable authentication.
    • Privilege escalation.
    • Stored XSS .
    • Local file inclusion.

 

  • Critical:
    • SQL injection.
    • Remote file inclusion.
    • Remote code execution.