Responsible Disclosure Policy

At Zepto, we take the security of our systems seriously, and it is our constant endeavor to make our website a safe place for our customers to browse. However, in the rare case when some security researcher or member of the general public identifies a vulnerability in our systems, and responsibly shares the details of it with us, we appreciate their contribution, work closely with them to address such vulnerabilities with urgency, and if they want, publicly acknowledge their contribution. Zepto reserves all the rights to validate the reports to be valid or not on the basis of impact of vulnerability.

To be eligible for recognition, you must

Types of Recognition

Rules of Engagement

You give us reasonable time to investigate and mitigate a vulnerability that you report.

Please refrain from accessing sensitive information (by using a test account and/or system), performing actions that may negatively affect other Zepto users (denial of service), or sending reports from automated tools.

You do not exploit a security vulnerability that you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)

Violating any laws or breaching any agreements in order to discover vulnerabilities.

You do not publicly disclose details of a security vulnerability that you've reported without Zepto's permission.

Programme terms

We recognise security researchers who help us to keep users safe by reporting vulnerabilities in our services. Recognition for such reports are entirely at Zepto’s discretion, based on risk, impact and other factors. For recognition in Zepto’s Hall of Fame, you first need to meet the following requirements:

In turn, we will follow these guidelines when evaluating reports under our responsible disclosure programme:

Note that your use of Zepto services including for the purposes of this programme, is subject to Zepto’s Terms and Policies. We may retain any communications about security vulnerabilities that you report for as long as we deem necessary for programme purposes, and we may cancel or modify this programme at any time.

Scope

How to Report a Vulnerability?

If you happen to have identified a vulnerability on any of our web or mobile app properties, we request you to follow the steps outlined below:

Report a Vulnerability

Send an email to [email protected]

Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of Zepto users is likely to be in scope for the program. Common examples include:

Exclusions

The following bugs are unlikely to be eligible:

Acknowledgements

We do not have a bounty/cash reward program for such disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we would be glad to publicly acknowledge your contribution in this section on our website. Of course, this will be done if you want a public acknowledgement.