Minimum Bounty: $50 Category: Accounts, Payments

ZSVPN is a VPN service provided by zSecurity. ZSVPN allows us to take another step towards a safer internet that is free from censorship and surveillance. ZSVPN allows users to protect their privacy using our state of the art servers that use unbreakable AES encryption.


Currently, only the main ZSVPN website zsvpn.com is included within the scope.All subdomains on the zsvpn.com are included too (*.zsvpn.com).


Do NOT run automated scans with tools like ZAP, Burp Scanner, Acunetix and such. You will not be awarded a bounty if we detect that you used automated tools even if you report a valid bug!

Out of scope

Desktop applications and mobile applications.All domains/subdomains/subnets not explicitly stated as in scope are considered out of scope.The following is also considered out of scope:

  • Social engineering attacks.
  • Brute-force / dictionary attacks.
  • Non-sensitive Clickjacking.
  • Non-sensitive CSRF (such as login / logout).
  • Vulnerabilities without a POC (Proof of Concept).
  • Physical access dependent attacks.
  • MITM dependent attacks.
  • Best practices in SSL/TLS configuration, implementations….etc
  • Industry standards and policies.
  • Disruption of the VPN service or to the website (for example, DoS attacks, mass scans …etc).
  • Rate-limiting issues.
  • Automated reports from tools like nmap, Nessus …etc.


Please ensure the submitted vulnerabilities / bugs are reproducible. Provide as much information as possible and add screenshots when needed. Clear reports get validated quicker, and therefore you’ll get your bounty faster.


Do not share any information / data related to the tests you carry out without permission from ZSVPN.

Bounty Rewards

  • Low          –     $50
  • Medium  –     $200
  • High.       –     $600
  • Critical.   –    $1000

Range Scale

Submitted reports will first be reviewed by a member of the Bug-Bounty.com team to validate it, determine its servility and suggest an appropriate bounty to the program creator. The report will only become visible to the program creator once they reward you. Bug-Bounty.com reserves the right to make the final decision on the severity of the submitted bugs and their worth. To give you an idea, below are some common vulnerabilities and the categories they usually fall under.

Please note this list is not exhaustive. It is up to the reviewer to decide the category the discovered bug falls under. Depending on the actual bug a low vulnerability can be deemed high and vice versa.

  • Low:       
    • Minor information disclosures.
    • Broken session management.
    • Non dangerous CSRF.
    • HTML injection.
    • Open redirect.
    • DOM XSS.


  • Medium:
    • Broken session management.
    • Sensitive information disclosures.
    • Dangerous CSRF.
    • Invalidated redirects.
    • Reflected XSS


  • High:
    • Vulnerable authentication.
    • Privilege escalation.
    • Stored XSS .
    • Local file inclusion.


  • Critical:
    • SQL injection.
    • Remote file inclusion.
    • Remote code execution.