[{"id":3628161,"new_policy":"# Welcome to Tumblr\n\nThe Tumblr Bug Bounty program is available here: **[Automattic's Bug Bounty Program](https://hackerone.com/automattic)**.\n\nPlease submit any reports for Tumblr to that program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-13T15:29:44.049Z"},{"id":3622011,"new_policy":"# Welcome to Tumblr\nThe Tumblr Bug Bounty Program was designed for those security-conscious users who help keep the Tumblr community safe from criminals and jerks. If you submit a bug that is within the scope of the program (as defined below), we will gladly reward you for your keen eye. Also, by submitting you agree that your submissions are subject in relevant part to Tumblr’s Application Developer and API License Agreement.\n \nThe security of Tumblr and our users is always a top priority for us. We look forward to working with the security community and invite security researchers to report security vulnerabilities that are identified in our products.\n\n-----\n\n# Table of Contents\n\n- Rules of Engagement\n  1. Program Rules\n  1. Legal Terms\n  1. Safe Harbor\n- Responsible Disclosure of Vulnerabilities\n  1. Testing\n      - SSRF Server\n  1. Crafting a Report\n      - Same Bug, Different Host\n      - Same Payload, Different Parameter\n  1. Program Scope\n- Rewards\n  1. Payout Table\n  1. Vulnerability Priority Baselines\n  1. Borderline Out-of-Scope, No Bounty\n  1. Do Not Report\n\n-----\n\n# Rules of Engagement\n\nBy submitting reports or otherwise participating in this program, you agree that you have read and will follow the Program Rules and Legal Terms sections of this program Policy.\n\n## Program Rules\n\n**Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program.** Three strikes will earn you a temporary ban. Four strikes means a permanent ban.\n\n1. Test vulnerabilities only against accounts that you own or accounts that you have permission from the account holder to test against.\n1. Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.\n1. If sensitive information--such as personal information, credentials, etc.--is accessed as part of a vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after initial discovery. All copies of sensitive information must be returned to Tumblr and may not be retained.\n1. Researchers may not, and are not authorized to engage in any activity that would be disruptive, damaging or harmful to Tumblr or its users. This includes: social engineering, phishing, physical security and denial of service attacks against users, employees, or Tumblr as a whole.\n1. Abide by the program scope. Only reports submitted to this program and against assets in scope will be eligible for monetary award.\n1. Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Tumblr employees), or otherwise share vulnerabilities with a third party, without Tumblr’s express written permission.\n\n## Legal Terms\nIn connection with your participation in this program you agree to comply with Tumblr’s Terms of Service, Tumblr’s Privacy Policy, and all applicable laws and regulations, including including any laws or regulations governing privacy or the lawful processing of data.\n\nTumblr reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists (such as the lists administered by the US Department of the Treasury’s OFAC).\n\nTumblr does not give permission/authorization (either implied or explicit) to an individual or group of individuals to (1) extract personal information or content of Tumblr users or publicize this information on the open, public-facing internet without user consent or (2) modify or corrupt programs or data belonging to Tumblr in order to extract and publicly disclose data belonging to Tumblr.\n\nTumblr employees, contingent workers, contractors and their personnel, and consultants, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any Tumblr programs, whether hosted by Tumblr or any third party.\n\n## Safe Harbor\nTumblr will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this Policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities. If legal action is initiated by a third party against you and you have complied with this Policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this Policy.\n\nYou are expected, as always, to comply with all applicable laws and regulations.\n\nPlease submit a report to us **before** engaging in conduct that may be inconsistent with or unaddressed by this Policy.\n\n-----\n\n# Responsible Disclosure of Vulnerabilities\n\nWe are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 90 days of being triaged.\n\nPlease review the program scope before submitting a report.\n\n## Testing\n\nWeb traffic to and from Tumblr produces vast amounts of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do one or both of the following when participating in the Tumblr bug bounty program:\n\n- Where possible, register accounts using your `\u003cusername\u003e+tumblr@wearehackerone.com` addresses. This is not a requirement for eligibility but will help for identification purposes.\n- Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n- Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n  - A header that includes your username: `X-Bug-Bounty:HackerOne-\u003cusername\u003e`\n  - A header that includes a unique or identifiable flag `X-Bug-Bounty:ID-\u003csha256-flag\u003e`\n- Target our internal SSRF Server (see below) for any SSRF tests\n\nWhen testing for a bug, please also keep in mind:\n\n- Only use authorized accounts so as not to inadvertently compromise the privacy of our users\n- When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:\n  - Read: `cat /proc/1/maps`\n  - Write: `touch /root/\u003cyour H1 username\u003e`\n  - Execute: `id`, `hostname`, `pwd` (though, technically cat and touch also prove execution)\n- Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n- Before causing damage or potential damage: Stop, report what you've found and request additional testing permission.\n\n### SSRF Server\n\nWhen testing for Server Side Request Forgery (SSRF), we've set up a server inside our network that you can use for verifying SSRF vulnerabilities. It has the following assets you can target:\n\n- https://ssrf-server.tumblr.net\n- https://ssrf-server.tumblr.net/mp3_audio.mp3\n- https://ssrf-server.tumblr.net/mp4_video.mp4\n- https://ssrf-server.tumblr.net/gif_image.gif\n- https://ssrf-server.tumblr.net/png_image.png\n- https://ssrf-server.tumblr.net/html_document.html\n- https://ssrf-server.tumblr.net/javascript_document.js\n- https://ssrf-server.tumblr.net/text_document.txt\n- https://ssrf-server.tumblr.net/xml_document.xml\n\n## Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n### Same Bug, Different Host\n\nFor each report, please allow Tumblr sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\n## Program Scope\n\nPlease see our detailed scope list at the bottom of this page for a full list of assets that are out of scope. This list is subject to change without notice.\n\nIf you’ve found a vulnerability that affects an asset belonging to Tumblr, but is not outlined in the in scope section of this program and isn't excluded either, please report it to this program and we will review.\n\n-----\n\n#Rewards\n\nYou will be eligible for a bounty only if you are the first person to disclose an unknown issue. Qualifying bugs will be rewarded based on severity, to be determined by Tumblr in its sole discretion. Rewards may range from HackerOne Reputation Points to monetary rewards up to $5,000 USD. Awards are granted entirely at the discretion of Tumblr.\n\nAt Tumblr's discretion, providing more complete research, proof-of-concept code and detailed write-ups may increase the bounty awarded. Conversely, Tumblr may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be denied if there is evidence of program policy violations. A reduction in bounty is also warranted for reports that require specific browser configurations.\n\n## Payout Table\n\nWhere a monetary bounty is presented, eligible reports will be awarded based on severity after identifying final impact, as determined by Tumblr.\n\n| Severity | Payout Range |\n|-----|-----|\n| Critical | $1,000 - $5,000 |\n| High | $500 - $1,000 |\n| Medium | $100 - $500 |\n| Low | $100 |\n| None | $0 |\n\n## Vulnerability Priority Baselines\n\nAll reports will be awarded based on their actual impact and severity which will be determined by Tumblr in its sole discretion.\n\nAs a general guide to vulnerability priority baselines, one resource that we suggest to check out is this [Vulnerability Rating Taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy). This only serves as a guide and does not guarantee actual report classification.\n\n## Borderline Out-of-Scope, No Bounty\n\nThese issues are eligible for submission, but not eligible for bounty or any award. Once triaged, they will be closed as `Informative` only if found to be valid or `Spam` if found to be not valid. When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.\n\n| Issues: |  |\n|-----|-----|\n| Any non-Tumblr Applications | \"Self\" XSS |\n| Missing Security Best Practices | HTTP Host Header XSS |\n| Confidential Information Leakage | Clickjacking/UI Redressing |\n| Use of known-vulnerable library (without proof of exploitability) | Intentional Open Redirects |\n| Missing cookie flags | Reflected file download |\n| SSL/TLS Best Practices | Incomplete/Missing SPF/DKIM |\n| Physical attacks | Social Engineering attacks |\n| Results of automated scanners | Login/Logout/Unauthenticated CSRF |\n| Autocomplete attribute on web forms | Using unreported vulnerabilities |\n| Issues related to networking protocols | Software Version Disclosure |\n| Verbose error pages (without proof of exploitability) | Denial of Service attacks |\n| Tumblr software that is End of Life or no longer supported | Account/email Enumeration |\n| Missing Security HTTP Headers (without proof of exploitability) | Internal pivoting, scanning, exploiting, or exfiltrating data |\n\n*Note:* 0-day vulnerabilities may be reported 30 days after initial publication. We have an internal process dedicated to tracking these issues; hosts identified by this process and internally ticketed will not be eligible for bounty.\n\n\n## Do Not Report\n\nThe following issues are considered out of scope:\n\n- Those that resolve to third-party services\n- Issues that do not affect the latest version of modern browsers\n- Issues that we are already aware of or have been previously reported\n- Issues that require unlikely user interaction\n- Disclosure of information that does not present a significant risk\n- Cross-site Request Forgery with minimal security impact\n- CSV injection\n- Incomplete or missing SPF/DKIM\n- General best practice concerns\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-23T16:20:39.206Z"},{"id":3620298,"new_policy":"# Welcome to Tumblr\nThe Tumblr Bug Bounty Program was designed for those security-conscious users who help keep the Tumblr community safe from criminals and jerks. If you submit a bug that is within the scope of the program (as defined below), we will gladly reward you for your keen eye. Also, by submitting you agree that your submissions are subject in relevant part to Tumblr’s Application Developer and API License Agreement.\n \nThe security of Tumblr and our users is always a top priority for us. We look forward to working with the security community and invite security researchers to report security vulnerabilities that are identified in our products.\n\n-----\n\n# Table of Contents\n\n- Rules of Engagement\n  1. Program Rules\n  1. Legal Terms\n  1. Safe Harbor\n- Responsible Disclosure of Vulnerabilities\n  1. Testing\n      - SSRF Server\n  1. Crafting a Report\n      - Same Bug, Different Host\n      - Same Payload, Different Parameter\n  1. Program Scope\n- Rewards\n  1. Payout Table\n  1. Vulnerability Priority Baselines\n  1. Borderline Out-of-Scope, No Bounty\n  1. Do Not Report\n\n-----\n\n# Rules of Engagement\n\nBy submitting reports or otherwise participating in this program, you agree that you have read and will follow the Program Rules and Legal Terms sections of this program Policy.\n\n## Program Rules\n\n**Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program.** Three strikes will earn you a temporary ban. Four strikes means a permanent ban.\n\n1. Test vulnerabilities only against accounts that you own or accounts that you have permission from the account holder to test against.\n1. Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.\n1. If sensitive information--such as personal information, credentials, etc.--is accessed as part of a vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after initial discovery. All copies of sensitive information must be returned to Tumblr and may not be retained.\n1. Researchers may not, and are not authorized to engage in any activity that would be disruptive, damaging or harmful to Tumblr or its users. This includes: social engineering, phishing, physical security and denial of service attacks against users, employees, or Tumblr as a whole.\n1. Abide by the program scope. Only reports submitted to this program and against assets in scope will be eligible for monetary award.\n1. Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Tumblr employees), or otherwise share vulnerabilities with a third party, without Tumblr’s express written permission.\n\n## Legal Terms\nIn connection with your participation in this program you agree to comply with Tumblr’s Terms of Service, Tumblr’s Privacy Policy, and all applicable laws and regulations, including including any laws or regulations governing privacy or the lawful processing of data.\n\nTumblr reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists (such as the lists administered by the US Department of the Treasury’s OFAC).\n\nTumblr does not give permission/authorization (either implied or explicit) to an individual or group of individuals to (1) extract personal information or content of Tumblr users or publicize this information on the open, public-facing internet without user consent or (2) modify or corrupt programs or data belonging to Tumblr in order to extract and publicly disclose data belonging to Tumblr.\n\nTumblr employees, contingent workers, contractors and their personnel, and consultants, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any Tumblr programs, whether hosted by Tumblr or any third party.\n\n## Safe Harbor\nTumblr will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this Policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities. If legal action is initiated by a third party against you and you have complied with this Policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this Policy.\n\nYou are expected, as always, to comply with all applicable laws and regulations.\n\nPlease submit a report to us **before** engaging in conduct that may be inconsistent with or unaddressed by this Policy.\n\n-----\n\n# Responsible Disclosure of Vulnerabilities\n\nWe are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 90 days of being triaged.\n\nPlease review the program scope before submitting a report.\n\n## Testing\n\nWeb traffic to and from Tumblr produces vast amounts of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do one or both of the following when participating in the Tumblr bug bounty program:\n\n- Where possible, register accounts using your `\u003cusername\u003e+tumblr@wearehackerone.com` addresses. This is not a requirement for eligibility but will help for identification purposes.\n- Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n- Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n  - A header that includes your username: `X-Bug-Bounty:HackerOne-\u003cusername\u003e`\n  - A header that includes a unique or identifiable flag `X-Bug-Bounty:ID-\u003csha256-flag\u003e`\n- Target our internal SSRF Server (see below) for any SSRF tests\n\nWhen testing for a bug, please also keep in mind:\n\n- Only use authorized accounts so as not to inadvertently compromise the privacy of our users\n- When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:\n  - Read: `cat /proc/1/maps`\n  - Write: `touch /root/\u003cyour H1 username\u003e`\n  - Execute: `id`, `hostname`, `pwd` (though, technically cat and touch also prove execution)\n- Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n- Before causing damage or potential damage: Stop, report what you've found and request additional testing permission.\n\n### SSRF Server\n\nWhen testing for Server Side Request Forgery (SSRF), we've set up a server inside our network that you can use for verifying SSRF vulnerabilities. It has the following assets you can target:\n\n- https://ssrf-server.tumblr.net\n- https://ssrf-server.tumblr.net/mp3_audio.mp3\n- https://ssrf-server.tumblr.net/mp4_video.mp4\n- https://ssrf-server.tumblr.net/gif_image.gif\n- https://ssrf-server.tumblr.net/png_image.png\n- https://ssrf-server.tumblr.net/html_document.html\n- https://ssrf-server.tumblr.net/javascript_document.js\n- https://ssrf-server.tumblr.net/text_document.txt\n- https://ssrf-server.tumblr.net/xml_document.xml\n\n## Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n### Same Bug, Different Host\n\nFor each report, please allow Tumblr sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\n## Program Scope\n\nPlease see our detailed scope list at the bottom of this page for a full list of assets that are out of scope. This list is subject to change without notice.\n\nIf you’ve found a vulnerability that affects an asset belonging to Tumblr, but is not outlined in the in scope section of this program and isn't excluded either, please report it to this program and we will review.\n\n-----\n\n#Rewards\n\nYou will be eligible for a bounty only if you are the first person to disclose an unknown issue. Qualifying bugs will be rewarded based on severity, to be determined by Tumblr in its sole discretion. Rewards may range from HackerOne Reputation Points to monetary rewards up to $5,000 USD. Awards are granted entirely at the discretion of Tumblr.\n\nAt Tumblr's discretion, providing more complete research, proof-of-concept code and detailed write-ups may increase the bounty awarded. Conversely, Tumblr may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be denied if there is evidence of program policy violations. A reduction in bounty is also warranted for reports that require specific browser configurations.\n\n## Payout Table\n\nWhere a monetary bounty is presented, eligible reports will be awarded based on severity after identifying final impact, as determined by Tumblr.\n\n| Severity | Payout Range |\n|-----|-----|\n| Critical | $1,000 - $5,000 |\n| High | $500 - $1,000 |\n| Medium | $100 - $500 |\n| Low | $50 - $100 |\n| None | $0 |\n\n## Vulnerability Priority Baselines\n\nAll reports will be awarded based on their actual impact and severity which will be determined by Tumblr in its sole discretion.\n\nAs a general guide to vulnerability priority baselines, one resource that we suggest to check out is this [Vulnerability Rating Taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy). This only serves as a guide and does not guarantee actual report classification.\n\n## Borderline Out-of-Scope, No Bounty\n\nThese issues are eligible for submission, but not eligible for bounty or any award. Once triaged, they will be closed as `Informative` only if found to be valid or `Spam` if found to be not valid. When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.\n\n| Issues: |  |\n|-----|-----|\n| Any non-Tumblr Applications | \"Self\" XSS |\n| Missing Security Best Practices | HTTP Host Header XSS |\n| Confidential Information Leakage | Clickjacking/UI Redressing |\n| Use of known-vulnerable library (without proof of exploitability) | Intentional Open Redirects |\n| Missing cookie flags | Reflected file download |\n| SSL/TLS Best Practices | Incomplete/Missing SPF/DKIM |\n| Physical attacks | Social Engineering attacks |\n| Results of automated scanners | Login/Logout/Unauthenticated CSRF |\n| Autocomplete attribute on web forms | Using unreported vulnerabilities |\n| Issues related to networking protocols | Software Version Disclosure |\n| Verbose error pages (without proof of exploitability) | Denial of Service attacks |\n| Tumblr software that is End of Life or no longer supported | Account/email Enumeration |\n| Missing Security HTTP Headers (without proof of exploitability) | Internal pivoting, scanning, exploiting, or exfiltrating data |\n\n*Note:* 0-day vulnerabilities may be reported 30 days after initial publication. We have an internal process dedicated to tracking these issues; hosts identified by this process and internally ticketed will not be eligible for bounty.\n\n\n## Do Not Report\n\nThe following issues are considered out of scope:\n\n- Those that resolve to third-party services\n- Issues that do not affect the latest version of modern browsers\n- Issues that we are already aware of or have been previously reported\n- Issues that require unlikely user interaction\n- Disclosure of information that does not present a significant risk\n- Cross-site Request Forgery with minimal security impact\n- CSV injection\n- Incomplete or missing SPF/DKIM\n- General best practice concerns\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-01T14:04:12.323Z"}]