Bug Bounty Program Terms
The Zenkit development team highly appreciates the efforts of the information security community to make the web a better and safer place for everyone. In order to reward the best external contributions that help us keep our users safe, we maintain a Bug Bounty Program for Zenkit owned web properties.
Issues submitted to bugbounty@zenkit.com will be handled based on priority. Issues regarding the security of user data and our applications (like app.zenkit.com or hypernotes.zenkit.com) have a higher priority than those concerning the marketing site (zenkit.com).
Qualifying vulnerabilities
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. The program is limited to technical vulnerabilities in Zenkit owned / used web applications.
Please do not attempt to carry out DoS or DDoS attacks, social engineering, spamming or do other similarly questionable things.
The following finding types are specifically excluded from the bounty
- The use of automated scanners is strictly prohibited.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- CSRF attacks that require knowledge of the CSRF token (e.g. attacks involving a local machine).
- Logout Cross-Site Request Forgery (logout CSRF).
- Content Spoofing.
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled.
- Username / email enumeration.
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Strict-Transport-Security; X-Frame-Options; X-XSS-Protection; X-Content-Type-Options; Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP; Content-Security-Policy-Report-Only; Cache-Control and Pragma.
- HTTP/DNS cache poisoning.
- SSL/TLS Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak/insecure cipher suites.
- Self-XSS reports will not be accepted.
- Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.
- Missing or incorrect SPF records of any kind.
- Missing or incorrect DMARC records of any kind.
- Source code or configuration disclosure vulnerabilities.
- Information disclosure of non-confidential information
- Email bombing/flooding/rate limiting
- Circumvention of the paywall (meaning the ability to use paid features with a free plan)
Non-qualifying vulnerabilities
Depending on their impact, some of the reported issues may not qualify if they do not present a considerable amount of risk to the business.
Reward amounts for security vulnerabilities
As a small, self-funded company, we cannot afford to pay the same amounts that other bug bounty programs of much larger corporations might be able to offer. Please keep that in mind when submitting your reports or when evaluating how much time you spend on your research.
Zenkit rewards bug bounty hunters on a first-come, first-served basis – the first comprehensive report for the same bug will be awarded any bounty. The final amount is always chosen at the discretion of our team. In particular, we may decide to pay higher rewards for unusually clever or severe vulnerabilities or pay lower rewards for vulnerabilities that require unusual user interaction. We may also decide a single report actually constitutes multiple bugs or that multiple reports are so closely related that they only warrant a single reward.
Investigating and reporting bugs
When investigating a vulnerability, please only ever target your own accounts. Never attempt to access anyone else’s data and do not engage in any activity that would be disruptive or damaging to the users or to Zenkit. Please bear in mind we are interested in bugs, not user data. If you come across user information during the course of your research, do not save, store, copy, transfer, disclose, or otherwise retain this information and please report it immediately to us.
Note that we are only able to answer technical vulnerability reports. Non-security bugs and queries about problems with your account should be instead directed to our customer support team. Please perform your research in good faith. Please don’t publicly disclose a vulnerability without our consent and review. Our pledge to you is to respond promptly and fix bugs in a sensible timeframe – and in exchange, we ask for a reasonable advance notice. Reports that go against this principle will usually not qualify, but we will evaluate them on a case-by-case basis.
Legal points
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Zenkit rewards bug bounty hunters on a first come, first served basis so if you find a vulnerability that has just been reported we will not reward you. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.
To contact our information security team, please email bugbounty@zenkit.com.