[{"id":3772562,"new_policy":"Zabbix is a fully open-source, real-time monitoring solution for your entire infrastructure.\nWe invite you to help strengthen the security of our users by testing Zabbix and reporting any security vulnerabilities you find.\n\n# Scope\n⚠️ This program is solely focused on finding vulnerabilities in the Zabbix monitoring solution itself.\n\n* In scope:\n  * Zabbix monitoring solution, all components and processes (supported and pre-release versions)\n  * Packages we deliver (current versions)\n  * Docker images we provide (current versions)\n  * Virtual appliances we provide (current versions)\n* Zabbix website and other supporting infrastructure is out of scope.\n* Zabbix Cloud is out of scope.\n* Please test only on Zabbix instances you own and do not interact with any Zabbix deployments of our users that might be publicly accessible.\n\n# Rules and guidelines\n* Keep your reports short:\n  * One- or two-sentence summary.\n  * Concise PoC steps.\n  * No unnecessary or AI-generated filler content.\n* Assume a securely configured Zabbix instance:\n  * Example - Agents use secure connections to the Server.\n  * Overriding secure default configuration will not be accepted as a prerequisite.\n* Vulnerabilities should be demonstrated with a working PoC; static/code-only findings are generally not accepted.\n* Vulnerabilities present in different versions of Zabbix are considered as one vulnerability.\n* Multiple vulnerabilities caused by one underlying issue will receive a single bounty.\n* Zabbix employees or their immediate family members are not eligible for bounties.\n\n# Starting off\n* For the quickest installation, follow the instructions on our [download page](https://www.zabbix.com/download).\n* General Zabbix documentation [available on our website](https://www.zabbix.com/documentation/current/en/manual/introduction/about).\n* Other installation options [documented here](https://www.zabbix.com/documentation/current/en/manual/installation/getting_zabbix).\n* The main components you can test:\n  * [Web Interface](https://www.zabbix.com/documentation/current/en/manual/web_interface) (Written in PHP)\n  * [Zabbix Server](https://www.zabbix.com/documentation/current/en/manual/concepts/server) (Written in C)\n  * [Agent](https://www.zabbix.com/documentation/current/en/manual/concepts/agent) (Written in C)\n  * [Agent 2](https://www.zabbix.com/documentation/current/en/manual/concepts/agent2) and [its plugins](https://www.zabbix.com/documentation/current/en/manual/extensions/plugins) (Written in Go)\n\n# Severity\nZabbix can be deployed in different ways and integrates with many systems, so impact can vary.\nTo keep ratings consistent, we assess issues based on a reasonable production setup - not the worst possible configuration.\nWe use CVSS 4.0 as a reference, but final severity may differ. The table below shows our general rating guidelines.\n\n| Severity    | Bounty | Requirements |\n| ----------- | ------ | ------------ |\n| 🟥 Critical | $3,000 | Significant compromise by an unauthenticated attacker |\n| 🟧 High     | $1,500 | Significant impact but requires user privileges |\n| 🟨 Medium   | $500   | Exploitation requires administrator privileges or has limited impact |\n| 🟩 Low      | $200   | Issues with lower impact or unlikely prerequisites |\n\n# Disclosure policy\nZabbix discloses all confirmed vulnerabilities after a fix has been released and\ncustomers with active support contracts have been given adequate time to upgrade or patch.\n\nOnce the fix is released, your HackerOne ticket will be marked as resolved.\nPublic disclosure will follow at a later stage, and you will be notified once the disclosure has been completed.\nWe ask that you refrain from discussing the report publicly until the official disclosure has taken place.\n\n# Other out of scope vulnerabilities\nIn addition to Core Ineligible Findings, these types of vulnerabilities are out of scope:\n* Misconfiguration of Zabbix is a prerequisite for exploitation.\n* Vulnerable or compromised environment is a prerequisite for exploitation (i.e. misconfigured web server/malware).\n* Unescaped macros in custom user scripts - Zabbix administrators are expected to take measures to secure their scripts.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* API actions performed by regular users when this behaviour is documented.\n* SSRF by administrators; invoking arbitrary network requests is core Zabbix functionality and has no security impact in this context.\n* We only accept DoS vulnerabilities when they require low privilege and have a high degree of asymmetry.\n* Any vulnerabilities not in the Zabbix product itself, such as the website.\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-14T06:56:44.095Z"},{"id":3772559,"new_policy":"Zabbix is a fully open-source, real-time monitoring solution for your entire infrastructure.\nWe invite you to help strengthen the security of our users by testing Zabbix and reporting any security vulnerabilities you find.\n\n# Scope\n⚠️ This program is solely focused on finding vulnerabilities in the Zabbix monitoring solution itself.\n\n* In scope:\n  * Zabbix monitoring solution, all components and processes (supported and pre-release versions)\n  * Packages we deliver (current versions)\n  * Docker images we provide (current versions)\n  * Virtual appliances we provide (current versions)\n* Zabbix website and other supporting infrastructure is out of scope.\n* Zabbix Cloud is out of scope.\n* Please test only on Zabbix instances you own and do not interact with any Zabbix deployments of our users that might be publicly accessible.\n\n# Rules and guidelines\n* Keep your reports short:\n  * One- or two-sentence summary.\n  * Concise PoC steps.\n  * No unnecessary or AI-generated filler content.\n* Assume a securely configured Zabbix instance:\n  * Example - Agents use secure connections to the Server.\n  * Overriding secure default configuration will not be accepted as a prerequisite.\n* Vulnerabilities present in different versions of Zabbix are considered as one vulnerability.\n* Multiple vulnerabilities caused by one underlying issue will receive a single bounty.\n* Zabbix employees or their immediate family members are not eligible for bounties.\n\n# Starting off\n* For the quickest installation, follow the instructions on our [download page](https://www.zabbix.com/download).\n* General Zabbix documentation [available on our website](https://www.zabbix.com/documentation/current/en/manual/introduction/about).\n* Other installation options [documented here](https://www.zabbix.com/documentation/current/en/manual/installation/getting_zabbix).\n* The main components you can test:\n  * [Web Interface](https://www.zabbix.com/documentation/current/en/manual/web_interface) (Written in PHP)\n  * [Zabbix Server](https://www.zabbix.com/documentation/current/en/manual/concepts/server) (Written in C)\n  * [Agent](https://www.zabbix.com/documentation/current/en/manual/concepts/agent) (Written in C)\n  * [Agent 2](https://www.zabbix.com/documentation/current/en/manual/concepts/agent2) and [its plugins](https://www.zabbix.com/documentation/current/en/manual/extensions/plugins) (Written in Go)\n\n# Severity\nZabbix can be deployed in different ways and integrates with many systems, so impact can vary.\nTo keep ratings consistent, we assess issues based on a reasonable production setup - not the worst possible configuration.\nWe use CVSS 4.0 as a reference, but final severity may differ. The table below shows our general rating guidelines.\n\n| Severity    | Bounty | Requirements |\n| ----------- | ------ | ------------ |\n| 🟥 Critical | $3,000 | Significant compromise by an unauthenticated attacker |\n| 🟧 High     | $1,500 | Significant impact but requires user privileges |\n| 🟨 Medium   | $500   | Exploitation requires administrator privileges or has limited impact |\n| 🟩 Low      | $200   | Issues with lower impact or unlikely prerequisites |\n\n# Disclosure policy\nZabbix discloses all confirmed vulnerabilities after a fix has been released and\ncustomers with active support contracts have been given adequate time to upgrade or patch.\n\nOnce the fix is released, your HackerOne ticket will be marked as resolved.\nPublic disclosure will follow at a later stage, and you will be notified once the disclosure has been completed.\nWe ask that you refrain from discussing the report publicly until the official disclosure has taken place.\n\n# Other out of scope vulnerabilities\nIn addition to Core Ineligible Findings, these types of vulnerabilities are out of scope:\n* Misconfiguration of Zabbix is a prerequisite for exploitation.\n* Vulnerable or compromised environment is a prerequisite for exploitation (i.e. misconfigured web server/malware).\n* Unescaped macros in custom user scripts - Zabbix administrators are expected to take measures to secure their scripts.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* API actions performed by regular users when this behaviour is documented.\n* SSRF by administrators; invoking arbitrary network requests is core Zabbix functionality and has no security impact in this context.\n* We only accept DoS vulnerabilities when they require low privilege and have a high degree of asymmetry.\n* Any vulnerabilities not in the Zabbix product itself, such as the website.\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-14T06:09:07.490Z"},{"id":3769762,"new_policy":"Zabbix is a fully open-source, real-time monitoring solution for your entire infrastructure.\nWe invite you to help strengthen the security of our users by testing Zabbix and reporting any security vulnerabilities you find.\n\n# Scope\n⚠️ This program is solely focused on finding vulnerabilities in the Zabbix monitoring solution itself.\n\n* In scope:\n  * Zabbix monitoring solution, all components and processes (supported and pre-release versions)\n  * Packages we deliver (current versions)\n  * Docker images we provide (current versions)\n  * Virtual appliances we provide (current versions)\n* Zabbix website and other supporting infrastructure is out of scope.\n* Zabbix Cloud is out of scope.\n* Please test only on Zabbix instances you own and do not interact with any Zabbix deployments of our users that might be publicly accessible.\n\n# Rules and guidelines\n* Keep your reports short:\n  * One- or two-sentence summary.\n  * Concise PoC steps.\n  * No unnecessary or AI-generated filler content.\n* Assume a securely configured Zabbix instance:\n  * Example - Agents use secure connections to the Server.\n  * Overriding secure default configuration will not be accepted as a prerequisite.\n* Vulnerabilities present in different versions of Zabbix are considered as one vulnerability.\n* Multiple vulnerabilities caused by one underlying issue will receive a single bounty.\n* Zabbix employees or their immediate family members are not eligible for bounties.\n\n# Starting off\n* For the quickest installation, follow the instructions on our [download page](https://www.zabbix.com/download).\n* General Zabbix documentation [available on our website](https://www.zabbix.com/documentation/current/en/manual/introduction/about).\n* Other installation options [documented here](https://www.zabbix.com/documentation/current/en/manual/installation/getting_zabbix).\n* The main components you can test:\n  * [Web Interface](https://www.zabbix.com/documentation/current/en/manual/web_interface) (Written in PHP)\n  * [Zabbix Server](https://www.zabbix.com/documentation/current/en/manual/concepts/server) (Written in C)\n  * [Agent](https://www.zabbix.com/documentation/current/en/manual/concepts/agent) (Written in C)\n  * [Agent 2](https://www.zabbix.com/documentation/current/en/manual/concepts/agent2) and [its plugins](https://www.zabbix.com/documentation/current/en/manual/extensions/plugins) (Written in Go)\n\n# Severity\nZabbix can be deployed in different ways and integrates with many systems, so impact can vary.\nTo keep ratings consistent, we assess issues based on a reasonable production setup - not the worst possible configuration.\nWe use CVSS 4.0 as a reference, but final severity may differ. The table below shows our general rating guidelines.\n\n| Severity    | Bounty | Requirements |\n| ----------- | ------ | ------------ |\n| 🟥 Critical | $3,000 | Significant compromise by an unauthenticated attacker |\n| 🟧 High     | $1,500 | Significant impact but requires user privileges |\n| 🟨 Medium   | $500   | Exploitation requires administrator privileges or has limited impact |\n| 🟩 Low      | $200   | Issues with lower impact or unlikely prerequisites |\n\n# Disclosure policy\nZabbix discloses all confirmed vulnerabilities after a fix has been released and\ncustomers with active support contracts have been given adequate time to upgrade or patch.\n\nOnce the fix is released, your HackerOne ticket will be marked as resolved.\nPublic disclosure will follow at a later stage, and you will be notified once the disclosure has been completed.\nWe ask that you refrain from discussing the report publicly until the official disclosure has taken place.\n\n# Other out of scope vulnerabilities\nIn addition to Core Ineligible Findings, these types of vulnerabilities are out of scope:\n* Misconfiguration of Zabbix is a prerequisite for exploitation.\n* Vulnerable or compromised environment is a prerequisite for exploitation (i.e. misconfigured web server/malware).\n* Unescaped macros in custom user scripts - Zabbix administrators are expected to take measures to secure their scripts.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* API actions performed by regular users when this behaviour is documented.\n* We only accept DoS vulnerabilities when they require low privilege and have a high degree of asymmetry.\n* Any vulnerabilities not in the Zabbix product itself, such as the website.\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-17T14:35:05.225Z"},{"id":3769757,"new_policy":"Zabbix is a fully open-source, real-time monitoring solution for your entire infrastructure.\nWe invite you to help strengthen the security of our users by testing Zabbix and reporting any security vulnerabilities you find.\n\n# Scope\n⚠️ This program is solely focused on finding vulnerabilities in the Zabbix monitoring solution itself.\n\n* In scope:\n  * Zabbix monitoring solution, all components and processes (supported and pre-release versions)\n  * Packages we deliver (current versions)\n  * Docker images we provide (current versions)\n  * Virtual appliances we provide (current versions)\n* Zabbix website and other supporting infrastructure is out of scope.\n* Zabbix Cloud is out of scope.\n* Please test only on Zabbix instances you own and do not interact with any Zabbix deployments of our users that might be publicly accessible.\n\n# Rules and guidelines\n* Keep your reports short:\n  * One- or two-sentence summary.\n  * Concise PoC steps.\n  * No unnecessary or AI-generated filler content.\n* Assume a securely configured Zabbix instance:\n  * Example - Agents use secure connections to the Server.\n  * Overriding secure default configuration will not be accepted as a prerequisite.\n* Vulnerabilities present in different versions of Zabbix are considered as one vulnerability.\n* Multiple vulnerabilities caused by one underlying issue will receive a single bounty.\n* Zabbix employees or their immediate family members are not eligible for bounties.\n\n# Starting off\n* For the quickest installation, follow the instructions on our [download page](https://www.zabbix.com/download).\n* General Zabbix documentation [available on our website](https://www.zabbix.com/documentation/current/en/manual/introduction/about).\n* Other installation options [documented here](https://www.zabbix.com/documentation/current/en/manual/installation/getting_zabbix).\n* The main components you can test:\n  * [Web Interface](https://www.zabbix.com/documentation/current/en/manual/web_interface) (Written in PHP)\n  * [Zabbix Server](https://www.zabbix.com/documentation/current/en/manual/concepts/server) (Written in C)\n  * [Agent](https://www.zabbix.com/documentation/current/en/manual/concepts/agent) (Written in C)\n  * [Agent 2](https://www.zabbix.com/documentation/current/en/manual/concepts/agent2) and [its plugins](https://www.zabbix.com/documentation/current/en/manual/extensions/plugins) (Written in Go)\n\n# Severity\nZabbix can be deployed in different ways and integrates with many systems, so impact can vary.\nTo keep ratings consistent, we assess issues based on a reasonable production setup - not the worst possible configuration.\nWe use CVSS 4.0 as a reference, but final severity may differ. The table below shows our general rating guidelines.\n\n| Severity    | Bounty | Requirements |\n| ----------- | ------ | ------------ |\n| 🟥 Critical | $3,000 | Significant compromise by an unauthenticated attacker |\n| 🟧 High     | $1,500 | Significant impact but requires user privileges |\n| 🟨 Medium   | $500   | Exploitation requires administrator privileges or has limited impact |\n| 🟩 Low      | $200   | Issues with lower impact or unlikely prerequisites |\n\n# Disclosure policy\nZabbix discloses all confirmed vulnerabilities after a fix has been released\nand customers with active support contracts have been given adequate time to upgrade or patch.\n\nOnce the fix is released, your HackerOne ticket will be marked as resolved.\nPublic disclosure will follow at a later stage, and you will be notified once the disclosure has been completed.\nWe ask that you refrain from discussing the report publicly until the official disclosure has taken place.\n\n# Other out of scope vulnerabilities\nIn addition to Core Ineligible Findings, these types of vulnerabilities are out of scope:\n* Misconfiguration of Zabbix is a prerequisite for exploitation.\n* Vulnerable or compromised environment is a prerequisite for exploitation (i.e. misconfigured web server/malware).\n* Unescaped macros in custom user scripts - Zabbix administrators are expected to take measures to secure their scripts.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* API actions performed by regular users when this behaviour is documented.\n* We only accept DoS vulnerabilities when they require low privilege and have a high degree of asymmetry.\n* Any vulnerabilities not in the Zabbix product itself, such as the website.\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-17T12:18:23.790Z"},{"id":3765803,"new_policy":"Zabbix is a universal all-in-one solution that offers real-time monitoring of your entire infrastructure and is completely open-source. \nZabbix cares to provide a product that is reliable and secure.   We take efforts to assure our customers and users that Zabbix product is enterprise-ready and can comply with all the up-to-date security requirements. \nWe understand that our product can become a target in case of cyber-attacks. The impact on Zabbix users could be significant in case if potential vulnerabilities inside the product would be exploited for selfish purposes.\nWe treat all security-related issues with the highest priority and want to fix them as soon as possible.\n\n\n# Response Targets\nZabbix will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 1 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 10 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Eligibility to Participate\nTo participate in the program, you must:\n* not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the program.\n* not be employed by Zabbix or any of its offices or an immediate family member of a person employed by Zabbix or any of its offices.\n* be responsible for any tax implications of a reward from the program depending on your country of residency and citizenship.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Vulnerabilities that demonstrate the ability to get privileged access to Zabbix system and/or significant amounts of monitored data without substantial barriers or requiring a user interaction outside the regular user interaction paths will be rated as highly as possible.\n* Submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Identical vulnerabilities present in different versions of Zabbix are evaluated as one vulnerability (be careful in some versions the code is duplicated).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Test Plan\n* Read the document about [Zabbix Monitoring solution](https://www.zabbix.com/documentation/current/en) to get a complete overview on how to run and configure it.\n* Download and install [any supported versions of Zabbix including pre-release versions](https://www.zabbix.com/download)\n* Test only Zabbix components presented below:\n  * Frontend\n  * Server\n  * Proxy\n  * Agents\n  * API\n  * [Other Zabbix processes](https://www.zabbix.com/documentation/current/en/manual/concepts)\n\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Same vulnerabilities \n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities are not related to Zabbix components, like OS and web server misconfiguration, or missing patches for OS, web server, PHP etc.\n* Vulnerabilities only affecting users of outdated or unpatched browsers\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.\n* Any type of Denial of service (DOS) attacks\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Reports on other Zabbix assets that are not explicitly marked in scope in the list below are currently ineligible for monetary rewards (for example Zabbix websites, domains or pre-release and unsupported versions of Zabbix products). As they come into scope, they will be presented in the \"Scopes\" section below.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Zabbix and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-10T09:17:00.141Z"},{"id":3726806,"new_policy":"Zabbix is a universal all-in-one solution that offers real-time monitoring of your entire infrastructure and is completely open-source. \nZabbix cares to provide a product that is reliable and secure.   We take efforts to assure our customers and users that Zabbix product is enterprise-ready and can comply with all the up-to-date security requirements. \nWe understand that our product can become a target in case of cyber-attacks. The impact on Zabbix users could be significant in case if potential vulnerabilities inside the product would be exploited for selfish purposes.\nWe treat all security-related issues with the highest priority and want to fix them as soon as possible.\n\n\n# Response Targets\nZabbix will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 1 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 10 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Eligibility to Participate\nTo participate in the program, you must:\n* not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the program.\n* not be employed by Zabbix or any of its offices or an immediate family member of a person employed by Zabbix or any of its offices.\n* be responsible for any tax implications of a reward from the program depending on your country of residency and citizenship.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Vulnerabilities that demonstrate the ability to get privileged access to Zabbix system and/or significant amounts of monitored data without substantial barriers or requiring a user interaction outside the regular user interaction paths will be rated as highly as possible.\n* Submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Identical vulnerabilities present in different versions of Zabbix are evaluated as one vulnerability (be careful in some versions the code is duplicated).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Test Plan\n* Read the document about [Zabbix Monitoring solution](https://www.zabbix.com/documentation/current/en) to get a complete overview on how to run and configure it.\n* Download and install [any supported versions of Zabbix including pre-release versions](https://www.zabbix.com/download)\n* Test only Zabbix components presented below:\n  * Frontend\n  * Server\n  * Proxy\n  * Agents\n  * API\n  * [Other Zabbix processes](https://www.zabbix.com/documentation/current/en/manual/concepts)\n\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Same vulnerabilities \n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities are not related to Zabbix components, like OS and web server misconfiguration, or missing patches for OS, web server, PHP etc.\n* Vulnerabilities only affecting users of outdated or unpatched browsers\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.\n* Any type of Denial of service (DOS) attacks\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Reports on other Zabbix assets that are not explicitly marked in scope in the list below are currently ineligible for monetary rewards (for example Zabbix websites, domains or pre-release and unsupported versions of Zabbix products). As they come into scope, they will be presented in the \"Scopes\" section below.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Zabbix and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-20T12:59:11.845Z"},{"id":3724362,"new_policy":"Zabbix is a universal all-in-one solution that offers real-time monitoring of your entire infrastructure and is completely open-source. \nZabbix cares to provide a product that is reliable and secure.   We take efforts to assure our customers and users that Zabbix product is enterprise-ready and can comply with all the up-to-date security requirements. \nWe understand that our product can become a target in case of cyber-attacks. The impact on Zabbix users could be significant in case if potential vulnerabilities inside the product would be exploited for selfish purposes.\nWe treat all security-related issues with the highest priority and want to fix them as soon as possible.\n\n\n# Response Targets\nZabbix will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 1 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 10 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Eligibility to Participate\nTo participate in the program, you must:\n* not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the program.\n* not be employed by Zabbix or any of its offices or an immediate family member of a person employed by Zabbix or any of its offices.\n* be responsible for any tax implications of a reward from the program depending on your country of residency and citizenship.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Vulnerabilities that demonstrate the ability to get privileged access to Zabbix system and/or significant amounts of monitored data without substantial barriers or requiring a user interaction outside the regular user interaction paths will be rated as highly as possible.\n* Submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Identical vulnerabilities present in different versions of Zabbix are evaluated as one vulnerability (be careful in some versions the code is duplicated).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Test Plan\n* Read the document about [Zabbix Monitoring solution](https://www.zabbix.com/documentation/current/en) to get a complete overview on how to run and configure it.\n* Download and install [any supported versions of Zabbix except pre-release versions](https://www.zabbix.com/download)\n* Test only Zabbix components presented below:\n  * Frontend\n  * Server\n  * Proxy\n  * Agents\n  * API\n  * [Other Zabbix processes](https://www.zabbix.com/documentation/current/en/manual/concepts)\n\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Same vulnerabilities \n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities are not related to Zabbix components, like OS and web server misconfiguration, or missing patches for OS, web server, PHP etc.\n* Vulnerabilities only affecting users of outdated or unpatched browsers\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.\n* Any type of Denial of service (DOS) attacks\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Reports on other Zabbix assets that are not explicitly marked in scope in the list below are currently ineligible for monetary rewards (for example Zabbix websites, domains or pre-release and unsupported versions of Zabbix products). As they come into scope, they will be presented in the \"Scopes\" section below.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Zabbix and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-29T09:10:59.720Z"},{"id":3724357,"new_policy":"Zabbix is a universal all-in-one solution that offers real-time monitoring of your entire infrastructure and is completely open-source. \nZabbix cares to provide a product that is reliable and secure.   We take efforts to assure our customers and users that Zabbix product is enterprise-ready and can comply with all the up-to-date security requirements. \nWe understand that our product can become a target in case of cyber-attacks. The impact on Zabbix users could be significant in case if potential vulnerabilities inside the product would be exploited for selfish purposes.\nWe treat all security-related issues with the highest priority and want to fix them as soon as possible.\n\n\n# Response Targets\nZabbix will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 1 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 10 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Eligibility to Participate\nTo participate in the program, you must:\n* not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the program.\n* not be employed by Zabbix or any of its offices or an immediate family member of a person employed by Zabbix or any of its offices.\n* be responsible for any tax implications of a reward from the program depending on your country of residency and citizenship.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Vulnerabilities that demonstrate the ability to get privileged access to Zabbix system and/or significant amounts of monitored data without substantial barriers or requiring a user interaction outside the regular user interaction paths will be rated as highly as possible.\n* Submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Identical vulnerabilities present in different versions of Zabbix are evaluated as one vulnerability (be careful in some versions the code is duplicated).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Test Plan\n* Read the document about [Zabbix Monitoring solution](https://www.zabbix.com/documentation/current/en) to get a complete overview on how to run and configure it.\n* Download and install [any supported versions of Zabbix](https://www.zabbix.com/download)\n* Test only Zabbix components presented below:\n  * Frontend\n  * Server\n  * Proxy\n  * Agents\n  * API\n  * [Other Zabbix processes](https://www.zabbix.com/documentation/current/en/manual/concepts)\n\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Same vulnerabilities \n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities are not related to Zabbix components, like OS and web server misconfiguration, or missing patches for OS, web server, PHP etc.\n* Vulnerabilities only affecting users of outdated or unpatched browsers\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.\n* Any type of Denial of service (DOS) attacks\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Reports on other Zabbix assets that are not explicitly marked in scope in the list below are currently ineligible for monetary rewards (for example Zabbix websites, domains or pre-release and unsupported versions of Zabbix products). As they come into scope, they will be presented in the \"Scopes\" section below.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Zabbix and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-29T09:05:45.220Z"},{"id":3683933,"new_policy":"Zabbix is a universal all-in-one solution that offers real-time monitoring of your entire infrastructure and is completely open-source. \nZabbix cares to provide a product that is reliable and secure.   We take efforts to assure our customers and users that Zabbix product is enterprise-ready and can comply with all the up-to-date security requirements. \nWe understand that our product can become a target in case of cyber-attacks. The impact on Zabbix users could be significant in case if potential vulnerabilities inside the product would be exploited for selfish purposes.\nWe treat all security-related issues with the highest priority and want to fix them as soon as possible.\n\n\n# Response Targets\nZabbix will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Eligibility to Participate\nTo participate in the program, you must:\n* not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the program.\n* not be employed by Zabbix or any of its offices or an immediate family member of a person employed by Zabbix or any of its offices.\n* be responsible for any tax implications of a reward from the program depending on your country of residency and citizenship.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Vulnerabilities that demonstrate the ability to get privileged access to Zabbix system and/or significant amounts of monitored data without substantial barriers or requiring a user interaction outside the regular user interaction paths will be rated as highly as possible.\n* Submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Identical vulnerabilities present in different versions of Zabbix are evaluated as one vulnerability (be careful in some versions the code is duplicated).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Test Plan\n* Read the document about [Zabbix Monitoring solution](https://www.zabbix.com/documentation/current/en) to get a complete overview on how to run and configure it.\n* Download and install [any supported versions of Zabbix](https://www.zabbix.com/download)\n* Test only Zabbix components presented below:\n  * Frontend\n  * Server\n  * Proxy\n  * Agents\n  * API\n  * [Other Zabbix processes](https://www.zabbix.com/documentation/current/en/manual/concepts)\n\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Same vulnerabilities \n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities are not related to Zabbix components, like OS and web server misconfiguration, or missing patches for OS, web server, PHP etc.\n* Vulnerabilities only affecting users of outdated or unpatched browsers\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.\n* Any type of Denial of service (DOS) attacks\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Reports on other Zabbix assets that are not explicitly marked in scope in the list below are currently ineligible for monetary rewards (for example Zabbix websites, domains or pre-release and unsupported versions of Zabbix products). As they come into scope, they will be presented in the \"Scopes\" section below.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Zabbix and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-22T09:01:30.400Z"}]