Security Exploit Bounty Program

Mike Knoop
Mike Knoop / January 1, 2018

Closure of Public Bounty Program

As of 20 January 2022 we have closed our public bounty program in favour of a managed program through HackerOne. While our HackerOne program is not currently public, we still welcome submissions from security researchers! Please use the form linked below to submit through HackerOne.

Please do not submit bounty reports by email. We are no longer accepting submissions in this way and you will be directed to use the form instead.

Details of our program are still available below.

Go to the HackerOne Submission Form

Responsible Disclosure

Security of user data and communication is of utmost importance to Zapier. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Zapier. Principles of responsible disclosure include, but are not limited to:

  • Access or expose only customer data that is your own.
  • Do not exfiltrate data from our infrastructure (including source code, data backups, configuration files).
  • If you obtain remote access to our system, report your finding immediately. Do not attempt to pivot to other servers or elevate access.
  • Avoid scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site). This includes the spamming of contact forms, support emails, etc.
  • Keep within the guidelines of our Terms of Service.
  • Keep details of vulnerabilities secret until Zapier has been notified and had a reasonable amount of time to fix the vulnerability.
  • In order to be eligible for a bounty, your submission must be accepted as valid by Zapier. We use the following guidelines to determine the validity of requests and the reward compensation offered.

Reproducibility

Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.

Subdomains

Generally speaking, most subdomains are in scope. Specifically excluded are:

  • go.zapier.com
  • platform.zapier.com
  • status.zapier.com
  • opens.zapier.com
  • community.zapier.com

Severity

We are interested in security vulnerabilities that can be exploited to gain access to user data. We will only qualify and reward a vulnerability if and only if the bug can be successfully used by itself or in combination with another vulnerability you report to access user data that is not yours. General "bugs" are never qualifying vulnerabilities, and anything that is not an exploit is a general "bug". The exploit must rely only on vulnerabilities of Zapier's systems.

High and Critical Vulnerabilities

Subject to out of scopes below, we generally consider valid exploits of these types to be high or critical: * Cross-site scripting (XSS) * Cross-site request forgery (CSRF) * Server-side request forgery (SSRF) * SQL injection * Remote code execution (RCE) * XML external entity attacks (XXE) * Access control issues (Insecure Direct Object Reference, etc.) * Directory traversal issues * User sensitive information leakage

Out of Scope Findings

  • Information leakage that cannot be used to make a direct attack, like server IP, server version, path, error message, internal IP, etc.
  • PII - do not collect any personally identifiable information - including credit card information, addresses and phone numbers from other customers.
  • Reports from automated tools or scans that are not validated
  • Attacks against Zapier infrastructure
  • Social engineering and physical attacks
  • Distributed Denial of Service attacks that require large volumes of data.
  • 0-day vulnerabilities less than 60 days from patch release are ineligible for bounty.
  • Provisioning and/or usability issues.
  • Violations of licenses or other restrictions applicable to any vendor's product.
  • Security vulnerabilities in third-party products or websites that are not under Zapier’s direct control.
  • Fingerprinting / banner disclosure / server versions on public services
  • "Self" XSS
  • Not verifying email at signup
  • DNSSEC
  • Unchained open redirects
  • Content Spoofing
  • Missing cookie flags
  • SSL/TLS best practices
  • Mixed content warnings
  • Clickjacking/UI redressing without proof of exploitability
  • Highly speculative reports about theoretical damage
  • Feedback, comment, message, etc. flooding
  • SMS/Email flooding for some of our business
  • Disclosure of known public files or directories, (e.g., robots.txt)
  • Use of known-vulnerable library without proof of exploitability
  • CSRF on forms that are available to anonymous users (e.g., the contact form) without proof of exploitability
  • Login/logout/unauthenticated/low-impact CSRF
  • Incomplete/Missing SPF/DKIM
  • Attacks requiring MITM or physical access to a user's device
  • Issues related to networking protocols or industry standards
  • Reports that affect only outdated user agents or app versions
  • Failures to adhere to "best practices" (for example, common HTTP headers, link expiration or password policy) without proof of exploitability

Rewards

Only 1 bounty will be awarded per vulnerability. We will not award bounties for known issues.

If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.

To receive a reward, you must reside in a country not on sanctions lists

Rewards are paid by HackerOne, refer to their FAQ for details.