At Zoviz, we take the security of our users and platform seriously. We welcome security researchers to responsibly disclose vulnerabilities they discover, so we can keep our services safe and reliable.
We value the contributions of the security community and offer monetary rewards for valid, impactful findings.
Scope
- All publicly accessible assets under zoviz.com and its subdomains are in scope, unless explicitly excluded.
- Out-of-scope: third-party services we rely on (unless you can demonstrate direct security impact on Zoviz users or data).
Rules of Engagement
- Only test accounts you own. Do not attempt to access other users’ data.
- No denial-of-service, spam, or actions that degrade service availability.
- Social engineering of Zoviz staff or users is prohibited.
- Give us reasonable time to fix issues before public disclosure.
- Safe Harbor: If you follow these rules, we will not pursue legal action against good-faith research.
Reward Policy
We pay bounties based on severity, using CVSS v3.1 as a guide and Bugcrowd’s Vulnerability Rating Taxonomy (VRT) for classification. Rewards are paid once a report is validated and fixed. Duplicate reports, out-of-scope findings, and issues without demonstrable security impact are not eligible.
Bounty Table
| Severity | Typical Impact Examples | CVSS (guide) | Reward Range |
|---|---|---|---|
| Critical | Auth bypass; direct data exfiltration; RCE (Remote Code Execution); full account takeover without user action. | 9.0–10.0 | $700 – $1,000 |
| High | Stored XSS (Cross-Site Scripting) with session theft, SSRF (Server-Side Request Forgery) accessing sensitive internal services, privilege escalation, significant IDOR (Insecure Direct Object Reference) leading to sensitive data. | 7.0–8.9 | $350 – $700 |
| Medium | Reflected XSS requiring user action, limited IDOR, CSRF (Cross-Site Request Forgery) with meaningful state change, moderate info exposure. | 4.0–6.9 | $150 – $350 |
| Low | Minor misconfigurations, clickjacking with low impact, open redirect without sensitive impact. | 0.1–3.9 | $50 – $150 |
| Informational | Non-exploitable findings, missing security headers without proven impact. | n/a | $0 (acknowledgement only) |
Notes & Adjustments
- The exact bounty within a range depends on impact, report quality, and clarity of proof-of-concept. Higher payouts are awarded for broad impact or particularly clear and well-documented reports.
- We reserve the right to adjust severity after investigation, to reflect the true impact on our platform.
How to Report
Please send your findings to [email protected] with a detailed description and steps to reproduce. If possible, include screenshots, PoC code, or videos to help us validate quickly.
© Zoviz. Thank you for helping keep our users safe.
