[{"id":3764299,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Testing Credentials\nEarly Warning does not maintain official testing accounts to be provisioned to security researchers. No credentials will be provided.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\nReports that include a Nuclei Template to validate the submitted vulnerability may be awarded a bonus of between $100-$200. The Nuclei Template must be unique for the submitted vulnerability and existing open-source community templates will not be eligible for a bonus. Nuclei Template bonuses will be given out at the sole discretion of Early Warning.\n\nEarly Warning retains a perpetual right to complete ownership and usage of the submitted Nuclei Template. Researchers are prohibited from making submitted templates available to the public without express written consent from Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n  * If you suspect a non-volume-based denial-of-service bug exists, create a bug bounty report before testing and Early Warning Services team will evaluate each report on a case-by-case basis\n* Volume-based attacks, including lack or tuning or rate-limiting\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices related to:\n  * SSL/TLS\n  * Security headers without direct exploitability \n  * SPF, DKIM, DMARC\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n* The decommissioned Android and iOS applications are no longer in scope\n* Please note the Zellepay Facebook page (https://www.facebook.com/zellepay) is region-locked to only display for US customers.  Anyone outside the US will see the error: \"The link you followed may have expired, or the page may only be visible to an audience you're not in. \" This is by design, and any reports of this as a bug will be closed.\n* Credential dumps\n  * Customer credentials: As we cannot control how customers manage or secure their credentials on their systems, we do not pay bounties for customer credential dumps originating from third party sites.\n  * Employee credentials: We have an internal team that monitors the web for employee credential dumps. Any reports received will be forwarded to them, and if they are already aware of the reported credential dump, the report will be closed as 'informational'.\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-07T20:03:21.145Z"},{"id":3764205,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Testing Credentials\nEarly Warning does not maintain official testing accounts to be provisioned to security researchers. No credentials will be provided.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\nReports that include a Nuclei Template to validate the submitted vulnerability may be awarded a bonus of between $100-$200. The Nuclei Template must be unique for the submitted vulnerability and existing open-source community templates will not be eligible for a bonus. Nuclei Template bonuses will be given out at the sole discretion of Early Warning.\n\nEarly Warning retains a perpetual right to complete ownership and usage of the submitted Nuclei Template. Researchers are prohibited from making submitted templates available to the public without express written consent from Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n  * If you suspect a non-volume-based denial-of-service bug exists, create a bug bounty report before testing and Early Warning Services team will evaluate each report on a case-by-case basis\n* Volume-based attacks, including lack or tuning or rate-limiting\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices related to:\n  * SSL/TLS\n  * Security headers without direct exploitability \n  * SPF, DKIM, DMARC\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n* The decommissioned Android and iOS applications are no longer in scope\n* Please note the Zellepay Facebook page (https://www.facebook.com/zellepay) is region-locked to only display for US customers.  Anyone outside the US will see the error: \"The link you followed may have expired, or the page may only be visible to an audience you're not in. \" This is by design, and any reports of this as a bug will be closed.\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-06T18:04:27.669Z"},{"id":3762567,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Testing Credentials\nEarly Warning does not maintain official testing accounts to be provisioned to security researchers. No credentials will be provided.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\nReports that include a Nuclei Template to validate the submitted vulnerability may be awarded a bonus of between $100-$200. The Nuclei Template must be unique for the submitted vulnerability and existing open-source community templates will not be eligible for a bonus. Nuclei Template bonuses will be given out at the sole discretion of Early Warning.\n\nEarly Warning retains a perpetual right to complete ownership and usage of the submitted Nuclei Template. Researchers are prohibited from making submitted templates available to the public without express written consent from Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n  * If you suspect a non-volume-based denial-of-service bug exists, create a bug bounty report before testing and Early Warning Services team will evaluate each report on a case-by-case basis\n* Volume-based attacks, including lack or tuning or rate-limiting\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices related to:\n  * SSL/TLS\n  * Security headers without direct exploitability \n  * SPF, DKIM, DMARC\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n* The decommissioned Android and iOS applications are no longer in scope\n* Please note the Zellepay Facebook page (https://www.facebook.com/zellepay) is region-locked to only display for US customers.  Anyone outside the US will see the error: \"The link you followed may have expired, or the page may only be visible to an audience you're not in. \" This is by design, and any reports of this as a bug will be closed.\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-09T17:53:39.928Z"},{"id":3754962,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Testing Credentials\nEarly Warning does not maintain official testing accounts to be provisioned to security researchers. No credentials will be provided.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\nReports that include a Nuclei Template to validate the submitted vulnerability may be awarded a bonus of between $100-$200. The Nuclei Template must be unique for the submitted vulnerability and existing open-source community templates will not be eligible for a bonus. Nuclei Template bonuses will be given out at the sole discretion of Early Warning.\n\nEarly Warning retains a perpetual right to complete ownership and usage of the submitted Nuclei Template. Researchers are prohibited from making submitted templates available to the public without express written consent from Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n  * If you suspect a non-volume-based denial-of-service bug exists, create a bug bounty report before testing and Early Warning Services team will evaluate each report on a case-by-case basis\n* Volume-based attacks, including lack or tuning or rate-limiting\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices related to:\n  * SSL/TLS\n  * Security headers without direct exploitability \n  * SPF, DKIM, DMARC\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n* The decommissioned Android and iOS applications are no longer in scope\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* api.zmsp.earlywarning.com\n* api.zmsp.*.earlywarning.io\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-06T22:15:09.451Z"},{"id":3754961,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Testing Credentials\nEarly Warning does not maintain official testing accounts to be provisioned to security researchers. No credentials will be provided.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\nReports that include a Nuclei Template to validate the submitted vulnerability may be awarded a bonus of between $100-$200. The Nuclei Template must be unique for the submitted vulnerability and existing open-source community templates will not be eligible for a bonus. Nuclei Template bonuses will be given out at the sole discretion of Early Warning.\n\nEarly Warning retains a perpetual right to complete ownership and usage of the submitted Nuclei Template. Researchers are prohibited from making submitted templates available to the public without express written consent from Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n  * If you suspect a non-volume-based denial-of-service bug exists, create a bug bounty report before testing and Early Warning Services team will evaluate each report on a case-by-case basis\n* Volume-based attacks, including lack or tuning or rate-limiting\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices related to:\n  *SSL/TLS\n  *Security headers without direct exploitability \n  *SPF, DKIM, DMARC\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n* The decommissioned Android and iOS applications are no longer in scope\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* api.zmsp.earlywarning.com\n* api.zmsp.*.earlywarning.io\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-06T22:14:35.171Z"},{"id":3754960,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Testing Credentials\nEarly Warning does not maintain official testing accounts to be provisioned to security researchers. No credentials will be provided.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\nReports that include a Nuclei Template to validate the submitted vulnerability may be awarded a bonus of between $100-$200. The Nuclei Template must be unique for the submitted vulnerability and existing open-source community templates will not be eligible for a bonus. Nuclei Template bonuses will be given out at the sole discretion of Early Warning.\n\nEarly Warning retains a perpetual right to complete ownership and usage of the submitted Nuclei Template. Researchers are prohibited from making submitted templates available to the public without express written consent from Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n  * If you suspect a non-volume-based denial-of-service bug exists, create a bug bounty report before testing and Early Warning Services team will evaluate each report on a case-by-case basis\n* Volume-based attacks, including lack or tuning or rate-limiting\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices related to:\n  **SSL/TLS\n  **Security headers without direct exploitability \n  **SPF, DKIM, DMARC\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n* The decommissioned Android and iOS applications are no longer in scope\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* api.zmsp.earlywarning.com\n* api.zmsp.*.earlywarning.io\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-06T22:13:15.050Z"},{"id":3754959,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Testing Credentials\nEarly Warning does not maintain official testing accounts to be provisioned to security researchers. No credentials will be provided.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\nReports that include a Nuclei Template to validate the submitted vulnerability may be awarded a bonus of between $100-$200. The Nuclei Template must be unique for the submitted vulnerability and existing open-source community templates will not be eligible for a bonus. Nuclei Template bonuses will be given out at the sole discretion of Early Warning.\n\nEarly Warning retains a perpetual right to complete ownership and usage of the submitted Nuclei Template. Researchers are prohibited from making submitted templates available to the public without express written consent from Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n** If you suspect a non-volume-based denial-of-service bug exists, create a bug bounty report before testing and Early Warning Services team will evaluate each report on a case-by-case basis\n* Volume-based attacks, including lack or tuning or rate-limiting\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices related to:\n**SSL/TLS\n**Security headers without direct exploitability \n**SPF, DKIM, DMARC\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n* The decommissioned Android and iOS applications are no longer in scope\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* api.zmsp.earlywarning.com\n* api.zmsp.*.earlywarning.io\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-06T22:10:46.626Z"},{"id":3747784,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Testing Credentials\nEarly Warning does not maintain official testing accounts to be provisioned to security researchers. No credentials will be provided.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\nReports that include a Nuclei Template to validate the submitted vulnerability may be awarded a bonus of between $100-$200. The Nuclei Template must be unique for the submitted vulnerability and existing open-source community templates will not be eligible for a bonus. Nuclei Template bonuses will be given out at the sole discretion of Early Warning.\n\nEarly Warning retains a perpetual right to complete ownership and usage of the submitted Nuclei Template. Researchers are prohibited from making submitted templates available to the public without express written consent from Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Volume-based attacks, including lack or tuning of rate-limiting\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n\n\n##Out of scope bugs for iOS and Android apps\n* Root / Jailbreak detection bypass\n* Lack of Root / Jailbreak detection\n* Client certificate password cracking\n* Client certificate hard-coded/recoverable in ipa/apk\n* Absence or bypass of certificate pinning\n* Oauth \"app secret\" hard-coded/recoverable in ipa/apk\n* Lack of binary protection (anti-debugging) controls\n* Lack of obfuscation\n* Sensitive data in request bodies when protected by TLS\n* Snapshot/Pasteboard leakage\n* Crashes in general\n* Runtime hacking exploits (exploits only possible in a rooted/jailbroken environment)\n* Hardcoded keys or values, if they do not provide functionality beyond the normal application functionality (eg ability to escalate privileges beyond normal application access)\n\n###Out of scope bugs for Android app\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Exported Activities/Service Providers/BroadcastReceivers\n* Any kind of sensitive data stored in app private directory\n* User data stored unencrypted on external storage\n\n###Out of scope bugs for iOS app\n* Lack of Exploit mitigations ie. PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted in secure storage (e.g. keychain, secure enclave)\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* api.zmsp.earlywarning.com\n* api.zmsp.*.earlywarning.io\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-10T17:35:20.448Z"},{"id":3737928,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\nReports that include a Nuclei Template to validate the submitted vulnerability may be awarded a bonus of between $100-$200. The Nuclei Template must be unique for the submitted vulnerability and existing open-source community templates will not be eligible for a bonus. Nuclei Template bonuses will be given out at the sole discretion of Early Warning.\n\nEarly Warning retains a perpetual right to complete ownership and usage of the submitted Nuclei Template. Researchers are prohibited from making submitted templates available to the public without express written consent from Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Volume-based attacks, including lack or tuning of rate-limiting\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n\n\n##Out of scope bugs for iOS and Android apps\n* Root / Jailbreak detection bypass\n* Lack of Root / Jailbreak detection\n* Client certificate password cracking\n* Client certificate hard-coded/recoverable in ipa/apk\n* Absence or bypass of certificate pinning\n* Oauth \"app secret\" hard-coded/recoverable in ipa/apk\n* Lack of binary protection (anti-debugging) controls\n* Lack of obfuscation\n* Sensitive data in request bodies when protected by TLS\n* Snapshot/Pasteboard leakage\n* Crashes in general\n* Runtime hacking exploits (exploits only possible in a rooted/jailbroken environment)\n* Hardcoded keys or values, if they do not provide functionality beyond the normal application functionality (eg ability to escalate privileges beyond normal application access)\n\n###Out of scope bugs for Android app\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Exported Activities/Service Providers/BroadcastReceivers\n* Any kind of sensitive data stored in app private directory\n* User data stored unencrypted on external storage\n\n###Out of scope bugs for iOS app\n* Lack of Exploit mitigations ie. PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted in secure storage (e.g. keychain, secure enclave)\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* api.zmsp.earlywarning.com\n* api.zmsp.*.earlywarning.io\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-04T21:55:38.622Z"},{"id":3737925,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\nReports that include a Nuclei Template to validate the submitted vulnerability may be awarded a bonus of between $100-$200.. The Nuclei Template must be unique for the submitted vulnerability and existing open-source community templates will not be eligible for a bonus. Nuclei Template bonuses will be given out at the sole discretion of Early Warning.\n\nEarly Warning retains a perpetual right to complete ownership and usage of the submitted Nuclei Template. Researchers are prohibited from making submitted templates available to the public without express written consent from Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Volume-based attacks, including lack or tuning of rate-limiting\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n\n\n##Out of scope bugs for iOS and Android apps\n* Root / Jailbreak detection bypass\n* Lack of Root / Jailbreak detection\n* Client certificate password cracking\n* Client certificate hard-coded/recoverable in ipa/apk\n* Absence or bypass of certificate pinning\n* Oauth \"app secret\" hard-coded/recoverable in ipa/apk\n* Lack of binary protection (anti-debugging) controls\n* Lack of obfuscation\n* Sensitive data in request bodies when protected by TLS\n* Snapshot/Pasteboard leakage\n* Crashes in general\n* Runtime hacking exploits (exploits only possible in a rooted/jailbroken environment)\n* Hardcoded keys or values, if they do not provide functionality beyond the normal application functionality (eg ability to escalate privileges beyond normal application access)\n\n###Out of scope bugs for Android app\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Exported Activities/Service Providers/BroadcastReceivers\n* Any kind of sensitive data stored in app private directory\n* User data stored unencrypted on external storage\n\n###Out of scope bugs for iOS app\n* Lack of Exploit mitigations ie. PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted in secure storage (e.g. keychain, secure enclave)\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* api.zmsp.earlywarning.com\n* api.zmsp.*.earlywarning.io\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-04T21:53:57.290Z"},{"id":3737923,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\nReports that include a Nuclei Template to validate the submitted vulnerability may be awarded a bonus defined in structured bounty table. The Nuclei Template must be unique for the submitted vulnerability and existing open-source community templates will not be eligible for a bonus. Nuclei Template bonuses will be given out at the sole discretion of Early Warning.\n\nEarly Warning retains a perpetual right to complete ownership and usage of the submitted Nuclei Template. Researchers are prohibited from making submitted templates available to the public without express written consent from Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Volume-based attacks, including lack or tuning of rate-limiting\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n\n\n##Out of scope bugs for iOS and Android apps\n* Root / Jailbreak detection bypass\n* Lack of Root / Jailbreak detection\n* Client certificate password cracking\n* Client certificate hard-coded/recoverable in ipa/apk\n* Absence or bypass of certificate pinning\n* Oauth \"app secret\" hard-coded/recoverable in ipa/apk\n* Lack of binary protection (anti-debugging) controls\n* Lack of obfuscation\n* Sensitive data in request bodies when protected by TLS\n* Snapshot/Pasteboard leakage\n* Crashes in general\n* Runtime hacking exploits (exploits only possible in a rooted/jailbroken environment)\n* Hardcoded keys or values, if they do not provide functionality beyond the normal application functionality (eg ability to escalate privileges beyond normal application access)\n\n###Out of scope bugs for Android app\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Exported Activities/Service Providers/BroadcastReceivers\n* Any kind of sensitive data stored in app private directory\n* User data stored unencrypted on external storage\n\n###Out of scope bugs for iOS app\n* Lack of Exploit mitigations ie. PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted in secure storage (e.g. keychain, secure enclave)\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* api.zmsp.earlywarning.com\n* api.zmsp.*.earlywarning.io\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-04T21:51:56.086Z"},{"id":3737922,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\nReports that include a Nuclei Template to validate the submitted vulnerability may be awarded a bonus defined in structured bounty table. The Nuclei Template must be unique for the submitted vulnerability and existing open-source community templates will not be eligible for a bonus. Nuclei Template bonuses will be given out at the sole discretion of Early Warning.\nEarly Warning retains a perpetual right to complete ownership and usage of the submitted Nuclei Template. Researchers are prohibited from making submitted templates available to the public without express written consent from Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Volume-based attacks, including lack or tuning of rate-limiting\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n\n\n##Out of scope bugs for iOS and Android apps\n* Root / Jailbreak detection bypass\n* Lack of Root / Jailbreak detection\n* Client certificate password cracking\n* Client certificate hard-coded/recoverable in ipa/apk\n* Absence or bypass of certificate pinning\n* Oauth \"app secret\" hard-coded/recoverable in ipa/apk\n* Lack of binary protection (anti-debugging) controls\n* Lack of obfuscation\n* Sensitive data in request bodies when protected by TLS\n* Snapshot/Pasteboard leakage\n* Crashes in general\n* Runtime hacking exploits (exploits only possible in a rooted/jailbroken environment)\n* Hardcoded keys or values, if they do not provide functionality beyond the normal application functionality (eg ability to escalate privileges beyond normal application access)\n\n###Out of scope bugs for Android app\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Exported Activities/Service Providers/BroadcastReceivers\n* Any kind of sensitive data stored in app private directory\n* User data stored unencrypted on external storage\n\n###Out of scope bugs for iOS app\n* Lack of Exploit mitigations ie. PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted in secure storage (e.g. keychain, secure enclave)\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* api.zmsp.earlywarning.com\n* api.zmsp.*.earlywarning.io\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-04T21:50:43.464Z"},{"id":3728557,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle® functionality in any bank app\n* Denial of service attacks in any form or fashion\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Volume-based attacks, including lack or tuning of rate-limiting\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n\n\n##Out of scope bugs for iOS and Android apps\n* Root / Jailbreak detection bypass\n* Lack of Root / Jailbreak detection\n* Client certificate password cracking\n* Client certificate hard-coded/recoverable in ipa/apk\n* Absence or bypass of certificate pinning\n* Oauth \"app secret\" hard-coded/recoverable in ipa/apk\n* Lack of binary protection (anti-debugging) controls\n* Lack of obfuscation\n* Sensitive data in request bodies when protected by TLS\n* Snapshot/Pasteboard leakage\n* Crashes in general\n* Runtime hacking exploits (exploits only possible in a rooted/jailbroken environment)\n* Hardcoded keys or values, if they do not provide functionality beyond the normal application functionality (eg ability to escalate privileges beyond normal application access)\n\n###Out of scope bugs for Android app\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Exported Activities/Service Providers/BroadcastReceivers\n* Any kind of sensitive data stored in app private directory\n* User data stored unencrypted on external storage\n\n###Out of scope bugs for iOS app\n* Lack of Exploit mitigations ie. PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted in secure storage (e.g. keychain, secure enclave)\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* api.zmsp.earlywarning.com\n* api.zmsp.*.earlywarning.io\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-03T20:35:28.142Z"},{"id":3728556,"new_policy":"#Summary\nZelle® is transforming how money moves, with more than five billion digital payments sent since its launch in 2017. The Zelle Network® connects more than 2,100 bank and credit union brands of all sizes, enabling consumers and businesses to send digital payments to people and businesses they know and trust with an eligible bank account in the U.S. Money is available directly in bank accounts generally within minutes when the recipient is already enrolled with Zelle®. \n\nZelle® and Paze ℠ are the property of Early Warning Services, LLC.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle functionality in any bank app\n* Denial of service attacks in any form or fashion\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Volume-based attacks, including lack or tuning of rate-limiting\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n\n\n##Out of scope bugs for iOS and Android apps\n* Root / Jailbreak detection bypass\n* Lack of Root / Jailbreak detection\n* Client certificate password cracking\n* Client certificate hard-coded/recoverable in ipa/apk\n* Absence or bypass of certificate pinning\n* Oauth \"app secret\" hard-coded/recoverable in ipa/apk\n* Lack of binary protection (anti-debugging) controls\n* Lack of obfuscation\n* Sensitive data in request bodies when protected by TLS\n* Snapshot/Pasteboard leakage\n* Crashes in general\n* Runtime hacking exploits (exploits only possible in a rooted/jailbroken environment)\n* Hardcoded keys or values, if they do not provide functionality beyond the normal application functionality (eg ability to escalate privileges beyond normal application access)\n\n###Out of scope bugs for Android app\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Exported Activities/Service Providers/BroadcastReceivers\n* Any kind of sensitive data stored in app private directory\n* User data stored unencrypted on external storage\n\n###Out of scope bugs for iOS app\n* Lack of Exploit mitigations ie. PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted in secure storage (e.g. keychain, secure enclave)\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* api.zmsp.earlywarning.com\n* api.zmsp.*.earlywarning.io\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-03T20:35:04.352Z"},{"id":3726912,"new_policy":"#Summary\nZelle℠ partners with leading banks to make money move quickly and securely. It's a revolution in the way you send and receive money. Currently, Zelle will allow users to transfer money from person to person, in real-time.\n\nThis program is for the [Zellepay.com](https://zellepay.com) website, the [Zellepay Partner Portal](https://partners.zellepay.com), the Zellepay Customer Portal, the Zellepay iOS and Android mobile apps, and the supporting Web service APIs.\n\nIn this program we will reward for vulnerabilities that are found in the business logic or the application platform stack.\n\n#Response Targets\nEarly Warning will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 1 business day\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Access and Authentication Required\n* The iOS and Android mobile applications are available for download from their respective app stores\n* No credentials will be provided\n* Reports that cannot demonstrate impact through screenshots and/or video reproduction to the organization will be closed as N/A\n* Temporary cards and all other cards will not be accepted\n* Your `[user]@wearehackerone` email alias must be used when conducting testing in the program. Failure to do so may cause your traffic to be treated as an attack, and will be responded to accordingly\n* No Early Warning employees may participate in this bug bounty program\n\n#Rewards\nPlease see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Early Warning.\n\n#Requested Focus Areas\n* Unauthorized access to card data\n* Business logic flaws allowing the unauthorized transfer of funds\n* Authentication bypass\n* Remote code execution\n* Unauthorized access to customer data\n* Unauthorized access to the zellepay.com website\n* Unauthorized access to the zellepay.com Partner Portal\n* Cross-site scripting (XSS)\n* SQL injection (SQLi)\n* Cross-site request forgery (CSRF) for critical functions such as money transfers or money requests\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n##Out of scope\n* Reports from automated tools or scans\n* Zelle functionality in any bank app\n* Denial of service attacks in any form or fashion\n* Spoofing text messages that appear to come from zellepay, if it does not result in an actual transfer of money\n* Social Engineering\n* Email spoofing (eg Lack of SPF, DKIM, DMARC records)\n* Volume-based attacks, including lack or tuning of rate-limiting\n* Attacks that involve emailing or texting any user, if it does not result in an actual transfer of money\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any domains that resolve to Salesforce endpoints within scope must be tested in accordance with [Salesforce's Security Assessment Policy](https://help.salesforce.com/s/articleView?id=000392845\u0026type=1)\n\n\n##Out of scope bugs for iOS and Android apps\n* Root / Jailbreak detection bypass\n* Lack of Root / Jailbreak detection\n* Client certificate password cracking\n* Client certificate hard-coded/recoverable in ipa/apk\n* Absence or bypass of certificate pinning\n* Oauth \"app secret\" hard-coded/recoverable in ipa/apk\n* Lack of binary protection (anti-debugging) controls\n* Lack of obfuscation\n* Sensitive data in request bodies when protected by TLS\n* Snapshot/Pasteboard leakage\n* Crashes in general\n* Runtime hacking exploits (exploits only possible in a rooted/jailbroken environment)\n* Hardcoded keys or values, if they do not provide functionality beyond the normal application functionality (eg ability to escalate privileges beyond normal application access)\n\n###Out of scope bugs for Android app\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Exported Activities/Service Providers/BroadcastReceivers\n* Any kind of sensitive data stored in app private directory\n* User data stored unencrypted on external storage\n\n###Out of scope bugs for iOS app\n* Lack of Exploit mitigations ie. PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted in secure storage (e.g. keychain, secure enclave)\n\n# Starting Domains\nHere is a list of sub-domains that you can use to get started:\n* accountinfo-cat.earlywarning.com\n* accountinfo.earlywarning.com\n* identitychek.earlywarning.com\n* identitychekcat.earlywarning.com\n* mfa.earlywarning.com\n* accountinfodirect-cat.earlywarning.com\n* accountinfodirect.earlywarning.com\n* aoa-ws-direct-sd.earlywarning.com\n* rtn-oauth-irect.earlywarning.com\n* aoa-ws-cat.earlywarning.com\n* aoa-ws.earlywarning.com\n* identitychekcatxml.earlywarning.com\n* identitychekxml.earlywarning.com\n* sa*.earlywarning.com\n* api.zmsp.earlywarning.com\n* api.zmsp.*.earlywarning.io\n* partners.zellepay.com\n* register.zellepay.com\n\n\nPlease note that not all sub-domains may resolve.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Early Warning and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-21T14:29:01.698Z"}]