[{"id":3667752,"new_policy":"# Who are we ?\n\nZenly is a mobile app that shows you a live map of your friends and family. Founded in Paris in 2014, Zenly joined Snap in 2017, and continues to run as an independent entity with millions of loving active users around the world\n\nWe look forward to fostering new relationships with the security researcher community. Our security team reviews all vulnerability reports and acts upon them in accordance with [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure). As a general rule, we will acknowledge and validate your submission within 30 days (usually in less) and remediate critical and high severity submissions within 90 days.\n\n# Scope\n\nOur main focus is on security vulnerability testing for mobile applications and API endpoints listed below, however if you find a vulnerability that has meaningful security impact on an asset not explicitly out of scope, it’s fair game. \n\n- Zenly’s current mobile application for [iOS](https://itunes.apple.com/us/app/zenly-best-friends-only/id838848566?mt=8) and [Android](https://play.google.com/store/apps/details?id=app.zenly.locator\u0026hl=en_US).\n- [api.znly.co](http://api.znly.co/)\n- [rpc.znly.co](http://rpc.znly.co/)\n\nGiven our threat model, Zenly is particularly interested in reports demonstrating:\n\n- Vulnerabilities in authentication\n- Compromise of chat services\n- Alteration or faking of user location (from within the application and not using a third party application acting at the OS level)\n- SMS Toll Fraud for account sign-up, if done through a proven automated mechanism\n\n\n# Eligibility and Responsible Disclosure\n\n**We’ll only grant a reward to the first researcher reporting a specific vulnerability.**\n\n### DO’s\n\n- Agree and adhere to the Do's and Don't and Legal terms as stated in this policy\n- Demonstrate care in reproducing the vulnerability. In particular, **test only on accounts you own** and do not attempt to view or tamper with data belonging to other users\n- Send a clear textual description of the report along with steps to reproduce the vulnerability. (code and screenshots are encouraged, **videos are discouraged** unless absolutely necessary)\n- Check the eligibility of your report before submitting it\n- Only contact us through the HackerOne report submission form\n\n### DON’Ts\n\n- Don’t discuss or disclose any vulnerabilities (even resolved ones) outside of the program without express consent from us.\n- Follow [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n- **Don’t access user personal information.** If you accidentally access user personal information, please stop testing and contact us immediately\n- If you gain access to any non-public application or non-public credentials, please stop testing and contact us immediately\n- Do not degrade Zenly’s user experience, disrupt production systems nor destroy data during security testing\n\n# Out of scope vulnerabilities and exclusions\n\n### Specific to mobile applications\n\n- Lack of password login and logout on the mobile applications, this is by design\n- Attacks requiring physical access to an unlocked device or modification of hardware\n- Reports solely indicating a lack of a possible security defense such as certificate pinning\n- Local access to user data when operating a rooted/jailbroken mobile device\n- Issues that only occur on rooted/jailbroken devices or emulators\n- Attacks requiring extensive user interaction\n- Reports regarding outdated application versions\n\n### Global\n\n- Social engineering attempts on our staff including phishing\n- Publicly known 0day vulnerabilities until more than 30 days have passed since patch availability.\n- Attacks that could lead to the disruption of our service ((D)DoS)\n- Open ports without a vulnerability\n- Use of automated tools and scanners that could impact our services performance\n- Vulnerabilities in a vendor we integrate with (e.g Google or any SMS provider)\n- Clear storage of 3rd party API keys for services that do not offer a secure method of key storage\n- 3rd party API keys found in mobile applications without demonstrating the possibility to use them in a malicious way\n- Missing DNS and email best practices (e.g. invalid, incomplete, or missing SPF/DKIM/DMARC records)\n- Missing SSL/TLS configuration best practices\n- GitHub set up related issue (e.g. Wiki configuration)\n- Disclosure of server or software version numbers, reporting out-of-date or vulnerable software version without a proof of concept demonstrating vulnerability\n- UUID enumeration of any kind\n- Click-jacking on pages with no sensitive actions\n- Open Redirects without demonstrating additional security impact\n- Tab-nabbing\n\n# Safe Harbor\n\nAny activity conducted respecting this policy will be considered authorised conduct, and we will not initiate any legal action against you.\n\n# Legal\n\nIf you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a bounty. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.\n\nWe, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over a bounty --whether to give one and in what amount-- is a decision that lies entirely within our discretion.\n\nZenly’s employees, third party assets employees and their family members are not eligible for bounties.\n\nFinally, and needless to say, please do not violate any laws when conducting your tests.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-08T13:51:02.791Z"},{"id":3636412,"new_policy":"At Zenly, we look forward to fostering new relationships with the security researcher community. Our security team reviews all vulnerability reports and acts upon them in accordance with [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure). As a general rule, we will acknowledge and validate your submission within 30 days (usually in less) and remediate critical and high severity submissions within 90 days.\n\n# Scope\nThis program is **limited** to Zenly’s applications and websites listed below:\n\n### Core applications and websites:\n\n* Zenly’s current mobile application for [iOS](https://itunes.apple.com/us/app/zenly-best-friends-only/id838848566?mt=8) and [Android](https://play.google.com/store/apps/details?id=app.zenly.locator\u0026hl=en_US).\n\n### Zenly’s primary APIs\n* api.znly.co\n* rpc.znly.co\n* zen.ly\n\n\n# Threat Model:\n\nGiven our threat model, Zenly is particularly interested in \n* Security vulnerability testing for our mobile apps and API endpoints as per above.\n* Compromising App based chat services.\n* SMS Toll Fraud for account sign-up, if this can be done through a proven automated mechanism.\n* Altering or faking user location (from within the application and not using a third party application acting at the OS level).\n\n# Zenly Test Guidelines:\n\n* Create an account for Zenly using your phone number with our account sign-up flow\n* You may want to use a non-primary phone number for testing\n* Zen.ly requires location and notification services to be enabled for the app to work, make sure to enable them. To test full functionality, you can invite friends by phone number, enable access to your phone book/contacts or invite via the “bump” feature with two phones physically. \n* Do not access user personal information. If you accidentally access user personal information, please stop testing and submit the vulnerability.\n* Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.\n* Do not degrade the Zenly user experience, disrupting production systems, or destroy data during security testing.\n* Perform research only within the scope defined above.\n* Use the HackerOne report submission form to report vulnerability information to us.\n* Collect only the information necessary to demonstrate the vulnerability.\n* Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the HackerOne submission form (do not use third party file sharing sites).\n* When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.\n\n# Eligibility\nTo qualify for a reward under this program, you must:\n* Be the first to report a specific vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we address your report shall forfeit the reward.\n* Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.\n\n# Non-qualifying vulnerabilities and exclusions:\n\n* Social engineering attempts on our staff including phishing emails\n* Vulnerabilities in a vendor we integrate with (e.g Google or any SMS provider)\n* Use of automated tools that could generate significant traffic and possibly impair the functioning of our application\n* Reports solely indicating a lack of a possible security defense such as certificate pinning. We constantly make security improvements to our product offering.\n* Clear storage of 3rd party API keys for services that do not offer a secure method of key storage.\n* Attacks that require physical access to or modification of hardware are not in scope\n* Zenly's email configuration and DNS (SPF, DMARC, DKIM) \n* Github set up related issue (e.g. Wiki configuration)\n\n### Additionally, the following reports do not qualify for a reward:\n\n* Lack of password login and logout, this is by design at this time.\n* Local access to user data when operating a rooted or jailbroken mobile device.\n* Attacks that require physical access to a user unlocked device.\n\n\n# Legal\n\nIf you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.\n\nWe, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over an award --whether to give one and in what amount-- is a decision that lies entirely within our discretion.\n\nFinally, and needless to say, please do not violate any laws when conducting your tests.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-18T15:50:40.456Z"},{"id":3626053,"new_policy":"At Zenly, we look forward to fostering new relationships with the security researcher community. Our security team reviews all vulnerability reports and acts upon them in accordance with [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure). As a general rule, we will acknowledge and validate your submission within 30 days (usually in less) and remediate critical and high severity submissions within 90 days.\n\n# Scope\nThis program is **limited** to Zenly’s applications and websites listed below:\n\n### Core applications and websites:\n\n* Zenly’s current mobile application for [iOS](https://itunes.apple.com/us/app/zenly-best-friends-only/id838848566?mt=8) and [Android](https://play.google.com/store/apps/details?id=app.zenly.locator\u0026hl=en_US).\n\n### Zenly’s primary APIs\n* api.znly.co\n* rpc.znly.co\n* zen.ly\n\n\n# Threat Model:\n\nGiven our threat model, Zenly is particularly interested in \n* Security vulnerability testing for our mobile apps and API endpoints as per above.\n* Compromising App based chat services.\n* SMS Toll Fraud for account sign-up, if this can be done through a proven automated mechanism.\n* Altering or faking user location (from within the application and not using a third party application acting at the OS level).\n\n# Zenly Test Guidelines:\n\n* Create an account for Zenly using your phone number with our account sign-up flow\n* You may want to use a non-primary phone number for testing\n* Zen.ly requires location and notification services to be enabled for the app to work, make sure to enable them. To test full functionality, you can invite friends by phone number, enable access to your phone book/contacts or invite via the “bump” feature with two phones physically. \n* Do not access user personal information. If you accidentally access user personal information, please stop testing and submit the vulnerability.\n* Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.\n* Do not degrade the Zenly user experience, disrupting production systems, or destroy data during security testing.\n* Perform research only within the scope defined above.\n* Use the HackerOne report submission form to report vulnerability information to us.\n* Collect only the information necessary to demonstrate the vulnerability.\n* Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the HackerOne submission form (do not use third party file sharing sites).\n* When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.\n\n# Eligibility\nTo qualify for a reward under this program, you must:\n* Be the first to report a specific vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we address your report shall forfeit the reward.\n* Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.\n\n# Non-qualifying vulnerabilities and exclusions:\n\n* Social engineering attempts on our staff including phishing emails\n* Vulnerabilities in a vendor we integrate with (e.g Google or any SMS provider)\n* Use of automated tools that could generate significant traffic and possibly impair the functioning of our application\n* Reports solely indicating a lack of a possible security defense such as certificate pinning. We constantly make security improvements to our product offering.\n* Attacks that require physical access to or modification of hardware are not in scope\n* Zenly's email configuration and DNS (SPF, DMARC, DKIM) \n* Github set up related issue (e.g. Wiki configuration)\n\n### Additionally, the following reports do not qualify for a reward:\n\n* Lack of password login and logout, this is by design at this time.\n* Local access to user data when operating a rooted or jailbroken mobile device.\n* Attacks that require physical access to a user unlocked device.\n\n\n# Legal\n\nIf you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.\n\nWe, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over an award --whether to give one and in what amount-- is a decision that lies entirely within our discretion.\n\nFinally, and needless to say, please do not violate any laws when conducting your tests.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-13T19:09:09.719Z"},{"id":3626052,"new_policy":"At Zenly, we look forward to fostering new relationships with the security researcher community. Our security team reviews all vulnerability reports and acts upon them in accordance with [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure). As a general rule, we will acknowledge and validate your submission within 30 days (usually in less) and remediate critical and high severity submissions within 90 days.\n\n# Scope\nThis program is **limited** to Zenly’s applications and websites listed below:\n\n### Core applications and websites:\n\n* Zenly’s current mobile application for [iOS](https://itunes.apple.com/us/app/zenly-best-friends-only/id838848566?mt=8) and [Android](https://play.google.com/store/apps/details?id=app.zenly.locator\u0026hl=en_US).\n\n### Zenly’s primary APIs\n* api.znly.co\n* rpc.znly.co\n* zen.ly\n\n\n# Threat Model:\n\nGiven our threat model, Zenly is particularly interested in \n* Security vulnerability testing for our mobile apps and API endpoints as per above.\n* Compromising App based chat services.\n* SMS Toll Fraud for account sign-up, if this can be done through a proven automated mechanism.\n* Altering or faking user location (from within the application and not using a third party application acting at the OS level).\n\n# Zenly Test Guidelines:\n\n* Create an account for Zenly using your phone number with our account sign-up flow\n* You may want to use a non-primary phone number for testing\n* Zen.ly requires location and notification services to be enabled for the app to work, make sure to enable them. To test full functionality, you can invite friends by phone number, enable access to your phone book/contacts or invite via the “bump” feature with two phones physically. \n* Do not access user personal information. If you accidentally access user personal information, please stop testing and submit the vulnerability.\n* Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.\n* Do not degrade the Zenly user experience, disrupting production systems, or destroy data during security testing.\n* Perform research only within the scope defined above.\n* Use the HackerOne report submission form to report vulnerability information to us.\n* Collect only the information necessary to demonstrate the vulnerability.\n* Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the HackerOne submission form (do not use third party file sharing sites).\n* When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.\n\n# Eligibility\nTo qualify for a reward under this program, you must:\n* Be the first to report a specific vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we address your report shall forfeit the reward.\n* Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.\n\n# Non-qualifying vulnerabilities and exclusions:\n\n* Social engineering attempts on our staff including phishing emails\n* Vulnerabilities in a vendor we integrate with (e.g Google or any SMS provider)\n* Use of automated tools that could generate significant traffic and possibly impair the functioning of our application\n* Reports solely indicating a lack of a possible security defense such as certificate pinning. We constantly make security improvements to our product offering.\n* Attacks that require physical access to or modification of hardware are not in scope\n* Zenly's email configuration and DNS\n* Github set up related issue (e.g. Wiki configuration)\n\n### Additionally, the following reports do not qualify for a reward:\n\n* Lack of password login and logout, this is by design at this time.\n* Local access to user data when operating a rooted or jailbroken mobile device.\n* Attacks that require physical access to a user unlocked device.\n\n\n# Legal\n\nIf you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.\n\nWe, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over an award --whether to give one and in what amount-- is a decision that lies entirely within our discretion.\n\nFinally, and needless to say, please do not violate any laws when conducting your tests.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-13T19:08:44.152Z"},{"id":3625975,"new_policy":"At Zenly, we look forward to fostering new relationships with the security researcher community. Our security team reviews all vulnerability reports and acts upon them in accordance with [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure). As a general rule, we will acknowledge and validate your submission within 30 days (usually in less) and remediate critical and high severity submissions within 90 days.\n\n# Scope\nThis program is **limited** to Zenly’s applications and websites listed below:\n\n### Core applications and websites:\n\n* Zenly’s current mobile application for [iOS](https://itunes.apple.com/us/app/zenly-best-friends-only/id838848566?mt=8) and [Android](https://play.google.com/store/apps/details?id=app.zenly.locator\u0026hl=en_US).\n\n### Zenly’s primary APIs\n* api.znly.co\n* rpc.znly.co\n* zen.ly\n\n\n# Threat Model:\n\nGiven our threat model, Zenly is particularly interested in \n* Security vulnerability testing for our mobile apps and API endpoints as per above.\n* Compromising App based chat services.\n* SMS Toll Fraud for account sign-up, if this can be done through a proven automated mechanism.\n* Altering or faking user location (from within the application and not using a third party application acting at the OS level).\n\n# Zenly Test Guidelines:\n\n* Create an account for Zenly using your phone number with our account sign-up flow\n* You may want to use a non-primary phone number for testing\n* Zen.ly requires location and notification services to be enabled for the app to work, make sure to enable them. To test full functionality, you can invite friends by phone number, enable access to your phone book/contacts or invite via the “bump” feature with two phones physically. \n* Do not access user personal information. If you accidentally access user personal information, please stop testing and submit the vulnerability.\n* Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.\n* Do not degrade the Zenly user experience, disrupting production systems, or destroy data during security testing.\n* Perform research only within the scope defined above.\n* Use the HackerOne report submission form to report vulnerability information to us.\n* Collect only the information necessary to demonstrate the vulnerability.\n* Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the HackerOne submission form (do not use third party file sharing sites).\n* When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.\n\n# Eligibility\nTo qualify for a reward under this program, you must:\n* Be the first to report a specific vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we address your report shall forfeit the reward.\n* Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.\n\n# Non-qualifying vulnerabilities and exclusions:\n\n* Social engineering attempts on our staff including phishing emails\n* Vulnerabilities in a vendor we integrate with (e.g Google or any SMS provider)\n* Use of automated tools that could generate significant traffic and possibly impair the functioning of our application\n* Reports solely indicating a lack of a possible security defense such as certificate pinning. We constantly make security improvements to our product offering.\n* Attacks that require physical access to or modification of hardware are not in scope\n* Zenly's email configuration\n* Github set up related issue (e.g. Wiki configuration)\n\n### Additionally, the following reports do not qualify for a reward:\n\n* Lack of password login and logout, this is by design at this time.\n* Local access to user data when operating a rooted or jailbroken mobile device.\n* Attacks that require physical access to a user unlocked device.\n\n\n# Legal\n\nIf you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.\n\nWe, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over an award --whether to give one and in what amount-- is a decision that lies entirely within our discretion.\n\nFinally, and needless to say, please do not violate any laws when conducting your tests.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-12T19:38:55.403Z"},{"id":3625633,"new_policy":"At Zenly, we look forward to fostering new relationships with the security researcher community. Our security team reviews all vulnerability reports and acts upon them in accordance with [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure). As a general rule, we will acknowledge and validate your submission within 30 days (usually in less) and remediate critical and high severity submissions within 90 days.\n\n# Scope\nThis program is **limited** to Zenly’s applications and websites listed below:\n\n### Core applications and websites:\n\n* Zenly’s current mobile application for [iOS](https://itunes.apple.com/us/app/zenly-best-friends-only/id838848566?mt=8) and [Android](https://play.google.com/store/apps/details?id=app.zenly.locator\u0026hl=en_US).\n\n### Zenly’s primary APIs\n* api.znly.co\n* rpc.znly.co\n* zen.ly\n\n\n# Threat Model:\n\nGiven our threat model, Zenly is particularly interested in \n* Security vulnerability testing for our mobile apps and API endpoints as per above.\n* Compromising App based chat services.\n* SMS Toll Fraud for account sign-up, if this can be done through a proven automated mechanism.\n* Altering or faking user location (from within the application and not using a third party application acting at the OS level).\n\n# Zenly Test Guidelines:\n\n* Create an account for Zenly using your phone number with our account sign-up flow\n* You may want to use a non-primary phone number for testing\n* Zen.ly requires location and notification services to be enabled for the app to work, make sure to enable them. To test full functionality, you can invite friends by phone number, enable access to your phone book/contacts or invite via the “bump” feature with two phones physically. \n* Do not access user personal information. If you accidentally access user personal information, please stop testing and submit the vulnerability.\n* Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.\n* Do not degrade the Zenly user experience, disrupting production systems, or destroy data during security testing.\n* Perform research only within the scope defined above.\n* Use the HackerOne report submission form to report vulnerability information to us.\n* Collect only the information necessary to demonstrate the vulnerability.\n* Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the HackerOne submission form (do not use third party file sharing sites).\n* When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.\n\n# Eligibility\nTo qualify for a reward under this program, you must:\n* Be the first to report a specific vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we address your report shall forfeit the reward.\n* Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.\n\n# Non-qualifying vulnerabilities and exclusions:\n\n* Social engineering attempts on our staff including phishing emails\n* Vulnerabilities in a vendor we integrate with (e.g Google or any SMS provider)\n* Use of automated tools that could generate significant traffic and possibly impair the functioning of our application\n* Reports solely indicating a lack of a possible security defense such as certificate pinning. We constantly make security improvements to our product offering.\n* Attacks that require physical access to or modification of hardware are not in scope\n* Zenly's email configuration.\n\n### Additionally, the following reports do not qualify for a reward:\n\n* Lack of password login and logout, this is by design at this time.\n* Local access to user data when operating a rooted or jailbroken mobile device.\n* Attacks that require physical access to a user unlocked device.\n\n\n# Legal\n\nIf you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.\n\nWe, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over an award --whether to give one and in what amount-- is a decision that lies entirely within our discretion.\n\nFinally, and needless to say, please do not violate any laws when conducting your tests.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-09T13:07:13.189Z"},{"id":3625492,"new_policy":"At Zenly, we look forward to fostering new relationships with the security researcher community. Our security team reviews all vulnerability reports and acts upon them in accordance with [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure). As a general rule, we will acknowledge and validate your submission within 30 days (usually in less) and remediate critical and high severity submissions within 90 days.\n\n# Scope\nThis program is **limited** to Zenly’s applications and websites listed below:\n\n### Core applications and websites:\n\n* Zenly’s current mobile application for [iOS](https://itunes.apple.com/us/app/zenly-best-friends-only/id838848566?mt=8) and [Android](https://play.google.com/store/apps/details?id=app.zenly.locator\u0026hl=en_US).\n\n### Zenly’s primary APIs\n* api.znly.co\n* rpc.znly.co\n* zen.ly\n\n\n# Threat Model:\n\nGiven our threat model, Zenly is particularly interested in \n* Security vulnerability testing for our mobile apps and API endpoints as per above\n* Compromising App based chat services \n* SMS Toll Fraud for account sign-up \n* Altering or faking user location \n\n# Zenly Test Guidelines:\n\n* Create an account for Zenly using your phone number with our account sign-up flow\n* You may want to use a non-primary phone number for testing\n* Zen.ly requires location and notification services to be enabled for the app to work, make sure to enable them. To test full functionality, you can invite friends by phone number, enable access to your phone book/contacts or invite via the “bump” feature with two phones physically. \n* Do not access user personal information. If you accidentally access user personal information, please stop testing and submit the vulnerability.\n* Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.\n* Do not degrade the Zenly user experience, disrupting production systems, or destroy data during security testing.\n* Perform research only within the scope defined above.\n* Use the HackerOne report submission form to report vulnerability information to us.\n* Collect only the information necessary to demonstrate the vulnerability.\n* Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the HackerOne submission form (do not use third party file sharing sites).\n* When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.\n\n# Eligibility\nTo qualify for a reward under this program, you must:\n* Be the first to report a specific vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we address your report shall forfeit the reward.\n* Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.\n\n# Non-qualifying vulnerabilities and exclusions:\n\n* Social engineering attempts on our staff including phishing emails\n* Vulnerabilities in a vendor we integrate with (e.g Google or any SMS provider)\n* Use of automated tools that could generate significant traffic and possibly impair the functioning of our application\n* Reports solely indicating a lack of a possible security defense such as certificate pinning. We constantly make security improvements to our product offering.\n* Attacks that require physical access to or modification of hardware are not in scope\n\n### Additionally, the following reports do not qualify for a reward:\n\n* Lack of password login and logout, this is by design at this time.\n* Local access to user data when operating a rooted or jailbroken mobile device.\n* Attacks that require physical access to a user unlocked device.\n\n\n# Legal\n\nIf you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.\n\nWe, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over an award --whether to give one and in what amount-- is a decision that lies entirely within our discretion.\n\nFinally, and needless to say, please do not violate any laws when conducting your tests.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-07T00:27:50.442Z"},{"id":3625488,"new_policy":"At Zenly, we look forward to fostering new relationships with the security researcher community. Our security team reviews all vulnerability reports and acts upon them in accordance with [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure). As a general rule, we will acknowledge and validate your submission within 30 days (usually in less) and remediate critical and high severity submissions within 90 days.\n\n# Scope\nThis program is **limited** to Zenly’s applications and websites listed below:\n\n### Core applications and websites:\n\n* Zenly’s current mobile application for [iOS](https://itunes.apple.com/us/app/zenly-best-friends-only/id838848566?mt=8) and [Android](https://play.google.com/store/apps/details?id=app.zenly.locator\u0026hl=en_US).\n\n### Zenly’s primary APIs\n* api.znly.co\n* rpc.znly.co\n* zen.ly\n\n\n### Zenly’s Public Github repositories\n\n# Threat Model:\n\nGiven our threat model, Zenly is particularly interested in \n* Security vulnerability testing for our mobile apps and API endpoints as per above\n* Compromising App based chat services \n* SMS Toll Fraud for account sign-up \n* Altering or faking user location \n\n# Zenly Test Guidelines:\n\n* Create an account for Zenly using your phone number with our account sign-up flow\n* You may want to use a non-primary phone number for testing\n* Zen.ly requires location and notification services to be enabled for the app to work, make sure to enable them. To test full functionality, you can invite friends by phone number, enable access to your phone book/contacts or invite via the “bump” feature with two phones physically. \n* Do not access user personal information. If you accidentally access user personal information, please stop testing and submit the vulnerability.\n* Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.\n* Do not degrade the Zenly user experience, disrupting production systems, or destroy data during security testing.\n* Perform research only within the scope defined above.\n* Use the HackerOne report submission form to report vulnerability information to us.\n* Collect only the information necessary to demonstrate the vulnerability.\n* Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the HackerOne submission form (do not use third party file sharing sites).\n* When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.\n\n# Eligibility\nTo qualify for a reward under this program, you must:\n* Be the first to report a specific vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we address your report shall forfeit the reward.\n* Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.\n\n# Non-qualifying vulnerabilities and exclusions:\n\n* Social engineering attempts on our staff including phishing emails\n* Vulnerabilities in a vendor we integrate with (e.g Google or any SMS provider)\n* Use of automated tools that could generate significant traffic and possibly impair the functioning of our application\n* Reports solely indicating a lack of a possible security defense such as certificate pinning. We constantly make security improvements to our product offering.\n* Attacks that require physical access to or modification of hardware are not in scope\n\n### Additionally, the following reports do not qualify for a reward:\n\n* Lack of password login and logout, this is by design at this time.\n* Local access to user data when operating a rooted or jailbroken mobile device.\n* Attacks that require physical access to a user unlocked device.\n\n\n# Legal\n\nIf you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.\n\nWe, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over an award --whether to give one and in what amount-- is a decision that lies entirely within our discretion.\n\nFinally, and needless to say, please do not violate any laws when conducting your tests.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-07T00:01:45.601Z"}]