vulnerability disclosure policy
Introduction
zally is committed to ensuring the security of the information and service we provide. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
We encourage you to contact us to report potential vulnerabilities in our systems.
Authorisation and reward
If you make a good-faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly.
Due to our limited resources, we currently can only offer Kudos for you to be added to our hall of fame.
Guidelines
Notify us as soon as possible after you discover a real or potential security issue.
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
Give us a reasonable amount of time to resolve the issue before you publicly disclose it.
Do not submit a high volume of low-quality reports.
Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Test methods
The following test methods are not authorized:
Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
Scope
Our website: https://www.zally.com
Mobile applications: coming soon
Submission
All submissions are to be made to security@zally.com.
We will acknowledge a receipt within 2 working days.
Provide the following information in your submission.
Subject:
A clear and concise title includes the type of vulnerability and the impacted asset.
Email Body:
- Summary: a clear summary of the vulnerability
- Steps to reproduce details list of conditions and steps to reproduce the vulnerability
- Impact: what would be the impact of the vulnerability be abused by an attacker.
- Supporting material: screenshots or POC video