Vulnerability Disclosure Program
Vulnerability Disclosure Program
To protect businesses and organizations worldwide, it is critical that the broader community of IT and security professionals report potential vulnerabilities as soon as they are recognized. This allows industry experts to take appropriate action to resolve any vulnerability that is discovered. If you are aware of a potential security vulnerability with any Zip product or service, we encourage you to contact us immediately at [email protected] . All reported vulnerabilities are investigated by the Zip Cybersecurity team. Throughout the investigation process, Zip Security makes every effort to work collaboratively with the incident reporter to investigate the vulnerability, gather required technical information, and to determine an appropriate action plan.
A security vulnerability is a flaw or weakness in the design, implementation, operation or management or a product or service that could be exploited to compromise the confidentiality, integrity, or availability of data.
The scope covers all software vulnerabilities in services provided by Zip.
- *.quadpay.com (All assets on quadpay.com and subdomains, except services provided by third parties)
- *.zip.co (All assets on zip.co and subdomains, except services provided by third parties)
- *.spotii.com (All assets on spotii.com and subdomains, except services provided by third parties)
- *.twistopay.com (All assets on twistopay.com and subdomains, except services provided by third parties)
- *.getpocketbook.com (All assets on getpocketbook.com and subdomains, except services provided by third parties)
- *.zipmoney.com.au (All assets on zipmoney.com.au and subdomains, except services provided by third parties)
- com.quadpay.android (Android: Play Store QuadPay app)
- com.quadpay.ios (iOS: App Store QuadPay app)
- Social engineering
- Rate Limiting (Non-critical issues)
- Physical security
- Non-security impacting UX issues
- Deprecated Open-Source libraries are not in scope. If you would like to report a vulnerability for one of these libraries, please submit it on GitHub via an issue or pull request.
- Vulnerabilities or weaknesses in third party applications that integrate with Zip
- Ability to abuse existing banking functionality such as ACH or credit card chargebacks
If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.
We reserve our right not to act in case of findings with no real risk impact on our data integrity and security. Any actions that violate applicable terms of service, policies or governing law will be considered as acting in bad faith. We are not obliged to provide remuneration, fee or rewards for any vulnerability disclosure – such action remains in our full discretion.
How to report vulnerability
If you have information about a security issue or vulnerability with a Zip product or service, please send an email to [email protected]. Encrypt sensitive information using Zip's PGP public key.
- Discoverer's contact information:
- Name (either full name or nickname)
- Physical address (with at least state-level accuracy)
- Affiliation / Company
- Email address
- Phone number
- Vulnerability information:
- Detailed description of the vulnerability
- Sample code that was used to create / verify the vulnerability
- Proof-of-Concept web request and response
- Information on known exploits
- URL or link to further information that may help engineering analyze or identify root cause
- Communication plans
- Disclosure plans (dates and venue)
- Permission to be acknowledged as the discoverer in the security bulletin
A member of the Zip Security Team will review your email and contact you to collaborate on resolving the issue.
- Do not cause any harm or act against our terms of or service;
- Comply with applicable laws;
- Do not access, modify, view, destroy, save, or otherwise alter data belonging to anyone other than you. If unintended access to data occurs, immediately cease testing, purge local information, and submit a report immediately.
- Do not compromise the privacy or safety of our customers and the operation of our services. Such activity will be treated as illegal.
Any personal information disclosed will be treated in accordance with Zip's applicable privacy policies.