Vulnerability Disclosure Program

Overview

To protect businesses and organizations worldwide, it is critical that the broader community of IT and security professionals report potential vulnerabilities as soon as they are recognized. This allows industry experts to take appropriate action to resolve any vulnerability that is discovered. If you are aware of a potential security vulnerability with any Zip product or service, we encourage you to contact us immediately at [email protected] . All reported vulnerabilities are investigated by the Zip Cybersecurity team. Throughout the investigation process, Zip Security makes every effort to work collaboratively with the incident reporter to investigate the vulnerability, gather required technical information, and to determine an appropriate action plan.

A security vulnerability is a flaw or weakness in the design, implementation, operation or management or a product or service that could be exploited to compromise the confidentiality, integrity, or availability of data.

Scope

The scope covers all software vulnerabilities in services provided by Zip.

Specific domains hosting Zip services are provided below:
  • *.quadpay.com (All assets on quadpay.com and subdomains, except services provided by third parties)
  • *.zip.co (All assets on zip.co and subdomains, except services provided by third parties)
  • *.spotii.com (All assets on spotii.com and subdomains, except services provided by third parties)
  • *.twistopay.com (All assets on twistopay.com and subdomains, except services provided by third parties)
  • *.getpocketbook.com (All assets on getpocketbook.com and subdomains, except services provided by third parties)
  • *.zipmoney.com.au (All assets on zipmoney.com.au and subdomains, except services provided by third parties)
  • com.quadpay.android (Android: Play Store QuadPay app)
  • com.quadpay.ios (iOS: App Store QuadPay app)
All vulnerabilities that require or are related to the following are out of scope:
  • Social engineering
  • Rate Limiting (Non-critical issues)
  • Physical security
  • Non-security impacting UX issues
  • Deprecated Open-Source libraries are not in scope. If you would like to report a vulnerability for one of these libraries, please submit it on GitHub via an issue or pull request.
  • Vulnerabilities or weaknesses in third party applications that integrate with Zip
  • Ability to abuse existing banking functionality such as ACH or credit card chargebacks

If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.

We reserve our right not to act in case of findings with no real risk impact on our data integrity and security. Any actions that violate applicable terms of service, policies or governing law will be considered as acting in bad faith. We are not obliged to provide remuneration, fee or rewards for any vulnerability disclosure – such action remains in our full discretion.

How to report vulnerability

If you have information about a security issue or vulnerability with a Zip product or service, please send an email to [email protected]. Encrypt sensitive information using Zip's PGP public key.

Zip Security PGP Public Key.

Please provide as much information as possible, including:
  • Discoverer's contact information:
    • Name (either full name or nickname)
    • Physical address (with at least state-level accuracy)
    • Affiliation / Company
    • Email address
    • Phone number
  • Vulnerability information:
    • Detailed description of the vulnerability
    • Sample code that was used to create / verify the vulnerability
      • Proof-of-Concept web request and response
    • Information on known exploits
    • URL or link to further information that may help engineering analyze or identify root cause
  • Communication plans
  • Disclosure plans (dates and venue)
  • Permission to be acknowledged as the discoverer in the security bulletin

A member of the Zip Security Team will review your email and contact you to collaborate on resolving the issue.

Prior to reporting, we ask that you:
  • Do not cause any harm or act against our terms of or service;
  • Comply with applicable laws;
  • Do not access, modify, view, destroy, save, or otherwise alter data belonging to anyone other than you. If unintended access to data occurs, immediately cease testing, purge local information, and submit a report immediately.
  • Do not compromise the privacy or safety of our customers and the operation of our services. Such activity will be treated as illegal.

Any personal information disclosed will be treated in accordance with Zip's applicable privacy policies.

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept all cookies”, you consent to the use of ALL the cookies. However, you may visit "Customise settings" to provide a controlled consent.