[{"id":3770044,"new_policy":"#Zooplus \nSince 1999, zooplus has been a pioneer in pet supplies e-commerce, serving millions of pet parents with an ever-growing range of nutritional and lifestyle products, proprietary premium food and accessory brands, alongside expert advice, convenient services, and loyalty programmes. Committed to the vision of ‘Celebrating Pet Love Every Day’ and driven by a passion for innovation, zooplus aims to set the industry standard for personalised, smart shopping. Based in Munich, zooplus operates local online shops across 30 European countries.\n\nThank you for supporting our security mission with relentless proactivity with your reports\n'We enable trust amid a hostile digital landscape.'\n\nWe look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe!\n\n# Response Targets\nZooplus will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* It is prohibited to discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction or mass exfiltration of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Zooplus is in the EU and some services are only made available in Europe through Geo IP. To avoid problems in your test, please use a VPN with an exit node in a country in the EU.\n\n# Test Plan\n* Load-intensive scans should be avoided.\n* When signing up for any Zooplus account, please use your [user]@wearehackerone.com address\n\u003e* Please email bugbounty@zooplus.com to request an account if you do not have one and are unable to create one\n\u003e* Make sure to include your HackerOne email address in the request\n\u003e* We will try and get back to you within 5 business days\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing email best practices (only Invalid, incomplete or missing DKIM/DMARC records)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Self-XSS are out of scope if could not be chained with another kind of attack that not require social engineering.\n* Social media account takeover\" findings can be only rewarded once, as the we have tens of millions of pages needing checks. We'd appreciate it if all found links to accounts are provided in one ticket. \n* Only accept users leaks that include Z+ Employees or 3rd party credentials, like logistics companies. Accounts from voting pools, Kanban boards and other kind of tools used by developers under their own reason are not part of that, unless internal Z+ information is leaked thru it. We also accept leaks from Z+ customers only if comes from leaks generated IN zooplus, or other of the domains in the program, site, of course the way that this leak was obtained must be included in the report. We do not accept leaks obtained with virus, trojans, browser leaks.... directly from the customers as is not a Z+ Leak. Of course we appreciate any report of that as a good faith from all the community and we always tried to be as gratefull as company policies allowed us.\n* We could not accept TLD reports that are not associated with our organization or not reserved by our business as security risk.\n\n### The following vulnerability types are out of scope for the zooplus vulnerability disclosure program. Reports that fall into these categories will not be eligible for reward or further triage:\n\n**Business Logic Vulnerabilities \u0026 Voucher, Coupon, and Discount Misuse**\nIssues that arise from intended business processes, even if they can be abused in edge cases, are out of scope. This includes, but is not limited to:\n\n* Account creation flows\n* Manipulation or reuse of promotional codes, vouchers, or coupons\n* Obtaining discounts, free gifts, or benefits (such as “Flash Deals,” “Savings Plan,” or “Zoopoints”) through business logic quirks, unless this leads to a direct compromise of core security controls or customer data.\n* Exploiting regional or cross-shop promotions (e.g., using a French free shipping code for a Belgian address)\n\n**Loyalty and Points System Abuse**\n* Earning or spending “Zoopoints\", newsletter bonuses, or referral points multiple times via timing, race conditions, or cross-shop actions.\n* Bypassing limits on loyalty programs.\n\n# Contact\nIf you have any questions or run into blockers while testing, please email bugbounty@zooplus.com to get in touch with our team.\n\nThank you for helping keep Zooplus and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Business Logic Vulnerabilities \\u0026 Voucher, Coupon, and Discount Misuse\",\"details\":\"Please read exclusions on Program Overview\"}","{\"category\":\"Loyalty and Points System Abuse\",\"details\":\"Please read exclusions on Program Overview\"}"],"timestamp":"2026-02-23T06:18:53.307Z"},{"id":3766419,"new_policy":"#Zooplus \nSince 1999, zooplus has been a pioneer in pet supplies e-commerce, serving millions of pet parents with an ever-growing range of nutritional and lifestyle products, proprietary premium food and accessory brands, alongside expert advice, convenient services, and loyalty programmes. Committed to the vision of ‘Celebrating Pet Love Every Day’ and driven by a passion for innovation, zooplus aims to set the industry standard for personalised, smart shopping. Based in Munich, zooplus operates local online shops across 30 European countries.\n\nThank you for supporting our security mission with relentless proactivity with your reports\n'We enable trust amid a hostile digital landscape.'\n\nWe look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe!\n\n# Response Targets\nZooplus will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* It is prohibited to discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction or mass exfiltration of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Zooplus is in the EU and some services are only made available in Europe through Geo IP. To avoid problems in your test, please use a VPN with an exit node in a country in the EU.\n\n# Test Plan\n* Load-intensive scans should be avoided.\n* When signing up for any Zooplus account, please use your [user]@wearehackerone.com address\n\u003e* Please email bugbounty@zooplus.com to request an account if you do not have one and are unable to create one\n\u003e* Make sure to include your HackerOne email address in the request\n\u003e* We will try and get back to you within 5 business days\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing email best practices (only Invalid, incomplete or missing DKIM/DMARC records)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Self-XSS are out of scope if could not be chained with another kind of attack that not require social engineering.\n* Social media account takeover\" findings can be only rewarded once, as the we have tens of millions of pages needing checks. We'd appreciate it if all found links to accounts are provided in one ticket. \n* Only accept users leaks that include Z+ Employees or 3rd party credentials, like logistics companies. Accounts from voting pools, Kanban boards and other kind of tools used by developers under their own reason are not part of that, unless internal Z+ information is leaked thru it. We also accept leaks from Z+ customers only if comes from leaks generated IN zooplus, or other of the domains in the program, site, of course the way that this leak was obtained must be included in the report. We do not accept leaks obtained with virus, trojans, browser leaks.... directly from the customers as is not a Z+ Leak. Of course we appreciate any report of that as a good faith from all the community and we always tried to be as gratefull as company policies allowed us.\n* We could not accept TLD reports that are not associated with our organization or not reserved by our business as security risk.\n\n### The following vulnerability types are out of scope for the zooplus vulnerability disclosure program. Reports that fall into these categories will not be eligible for reward or further triage:\n\n**Business Logic Vulnerabilities \u0026 Voucher, Coupon, and Discount Misuse**\nIssues that arise from intended business processes, even if they can be abused in edge cases, are out of scope. This includes, but is not limited to:\n\n* Account creation flows\n* Manipulation or reuse of promotional codes, vouchers, or coupons\n* Obtaining discounts, free gifts, or benefits (such as “Flash Deals,” “Savings Plan,” or “Zoopoints”) through business logic quirks, unless this leads to a direct compromise of core security controls or customer data.\n* Exploiting regional or cross-shop promotions (e.g., using a French free shipping code for a Belgian address)\n\n**Loyalty and Points System Abuse**\n* Earning or spending “Zoopoints\", newsletter bonuses, or referral points multiple times via timing, race conditions, or cross-shop actions.\n* Bypassing limits on loyalty programs.\n\n# Contact\nIf you have any questions or run into blockers while testing, please email bugbounty@zooplus.com to get in touch with our team.\n\nThank you for helping keep Zooplus and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-21T12:40:24.859Z"},{"id":3752760,"new_policy":"#Zooplus \nSince 1999, zooplus has been a pioneer in pet supplies e-commerce, serving millions of pet parents with an ever-growing range of nutritional and lifestyle products, proprietary premium food and accessory brands, alongside expert advice, convenient services, and loyalty programmes. Committed to the vision of ‘Celebrating Pet Love Every Day’ and driven by a passion for innovation, zooplus aims to set the industry standard for personalised, smart shopping. Based in Munich, zooplus operates local online shops across 30 European countries.\n\nThank you for supporting our security mission with relentless proactivity with your reports\n'We enable trust amid a hostile digital landscape.'\n\nWe look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe!\n\n# Response Targets\nZooplus will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* It is prohibited to discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction or mass exfiltration of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Zooplus is in the EU and some services are only made available in Europe through Geo IP. To avoid problems in your test, please use a VPN with an exit node in a country in the EU.\n\n# Test Plan\n* Load-intensive scans should be avoided.\n* When signing up for any Zooplus account, please use your [user]@wearehackerone.com address\n\u003e* Please email bugbounty@zooplus.com to request an account if you do not have one and are unable to create one\n\u003e* Make sure to include your HackerOne email address in the request\n\u003e* We will try and get back to you within 5 business days\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing email best practices (only Invalid, incomplete or missing DKIM/DMARC records)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Self-XSS are out of scope if could not be chained with another kind of attack that not require social engineering.\n* Social media account takeover\" findings can be only rewarded once, as the we have tens of millions of pages needing checks. We'd appreciate it if all found links to accounts are provided in one ticket. \n* Only accept users leaks that include Z+ Employees or 3rd party credentials, like logistics companies. Accounts from voting pools, Kanban boards and other kind of tools used by developers under their own reason are not part of that, unless internal Z+ information is leaked thru it. We also accept leaks from Z+ customers only if comes from leaks generated IN zooplus, or other of the domains in the program, site, of course the way that this leak was obtained must be included in the report. We do not accept leaks obtained with virus, trojans, browser leaks.... directly from the customers as is not a Z+ Leak. Of course we appreciate any report of that as a good faith from all the community and we always tried to be as gratefull as company policies allowed us.\n* We could not accept TLD reports that are not associated with our organization or not reserved by our business as security risk.\n\n# Contact\nIf you have any questions or run into blockers while testing, please email bugbounty@zooplus.com to get in touch with our team.\n\nThank you for helping keep Zooplus and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-01T09:19:16.608Z"},{"id":3752759,"new_policy":"#Zooplus \nSince 1999, zooplus has been a pioneer in pet supplies e-commerce, serving millions of pet parents with an ever-growing range of nutritional and lifestyle products, proprietary premium food and accessory brands, alongside expert advice, convenient services, and loyalty programmes. Committed to the vision of ‘Celebrating Pet Love Every Day’ and driven by a passion for innovation, zooplus aims to set the industry standard for personalised, smart shopping. Based in Munich, zooplus operates local online shops across 30 European countries.\n\nWe look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe!\n\n# Response Targets\nZooplus will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* It is prohibited to discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction or mass exfiltration of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Zooplus is in the EU and some services are only made available in Europe through Geo IP. To avoid problems in your test, please use a VPN with an exit node in a country in the EU.\n\n# Test Plan\n* Load-intensive scans should be avoided.\n* When signing up for any Zooplus account, please use your [user]@wearehackerone.com address\n\u003e* Please email bugbounty@zooplus.com to request an account if you do not have one and are unable to create one\n\u003e* Make sure to include your HackerOne email address in the request\n\u003e* We will try and get back to you within 5 business days\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing email best practices (only Invalid, incomplete or missing DKIM/DMARC records)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Self-XSS are out of scope if could not be chained with another kind of attack that not require social engineering.\n* Social media account takeover\" findings can be only rewarded once, as the we have tens of millions of pages needing checks. We'd appreciate it if all found links to accounts are provided in one ticket. \n* Only accept users leaks that include Z+ Employees or 3rd party credentials, like logistics companies. Accounts from voting pools, Kanban boards and other kind of tools used by developers under their own reason are not part of that, unless internal Z+ information is leaked thru it. We also accept leaks from Z+ customers only if comes from leaks generated IN zooplus, or other of the domains in the program, site, of course the way that this leak was obtained must be included in the report. We do not accept leaks obtained with virus, trojans, browser leaks.... directly from the customers as is not a Z+ Leak. Of course we appreciate any report of that as a good faith from all the community and we always tried to be as gratefull as company policies allowed us.\n* We could not accept TLD reports that are not associated with our organization or not reserved by our business as security risk.\n\n# Contact\nIf you have any questions or run into blockers while testing, please email bugbounty@zooplus.com to get in touch with our team.\n\nThank you for helping keep Zooplus and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-01T09:02:40.269Z"},{"id":3752757,"new_policy":"#Zooplus \nSince 1999, zooplus has been a pioneer in pet supplies e-commerce, serving millions of pet parents with an ever-growing range of nutritional and lifestyle products, proprietary premium food and accessory brands, alongside expert advice, convenient services, and loyalty programmes. Committed to the vision of ‘Celebrating Pet Love Every Day’ and driven by a passion for innovation, zooplus aims to set the industry standard for personalised, smart shopping. Based in Munich, zooplus operates local online shops across 30 European countries.\n\nWe look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe!\n\n# Response Targets\nZooplus will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, it is prohibited to discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction or mass exfiltration of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Zooplus is in EU and some services are only available by Geo IP in Europe. To avoid problems in your test, please use a VPN with termination in an EU country.\n\n# Test Plan\n* Load-intensive scans should be avoided.\n* When signing up for any Zooplus account, please use your [user]@wearehackerone.com address\n\u003e* Please email bugbounty@zooplus.com to request an account if you do not have one and are unable to create one\n\u003e* Make sure to include your HackerOne email address in the request\n\u003e* We will try and get back to you within 5 business days\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing email best practices (only Invalid, incomplete or missing DKIM/DMARC records)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Self-XSS are out of scope if could not be chained with another kind of attack that not require social engineering.\n* Social media account takeover\" findings can be only rewarded once, as the we have tens of millions of pages needing checks. We'd appreciate it if all found links to accounts are provided in one ticket. \n* Only accept users leaks that include Z+ Employees or 3rd party credentials, like logistics companies. Accounts from voting pools, Kanban boards and other kind of tools used by developers under their own reason are not part of that, unless internal Z+ information is leaked thru it. We also accept leaks from Z+ customers only if comes from leaks generated IN zooplus, or other of the domains in the program, site, of course the way that this leak was obtained must be included in the report. We do not accept leaks obtained with virus, trojans, browser leaks.... directly from the customers as is not a Z+ Leak. Of course we appreciate any report of that as a good faith from all the community and we always tried to be as gratefull as company policies allowed us.\n* We could not accept TLD reports that are not associated with our organization or not reserved by our business as security risk.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contact\nIf you have any questions or run into blockers while testing, please email bugbounty@zooplus.com to get in touch with our team.\n\nThank you for helping keep Zooplus and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-01T07:51:56.680Z"},{"id":3752380,"new_policy":"#Zooplus \nFounded in 1999, zooplus SE is today Europe’s leading retailer for pet supplies on the Internet. In terms of sales, zooplus ranks amongst the best in the European market, which includes both bricks-and-mortar and online retailing of pet supplies. With millions of active customers, zooplus’ compelling USP includes attractive pricing, broad selection and high-quality delivery.\n\nWe look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe!\n\n# Response Targets\nZooplus will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, it is prohibited to discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction or mass exfiltration of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Zooplus is in EU and some services are only available by Geo IP in Europe. To avoid problems in your test, please use a VPN with termination in an EU country.\n\n# Test Plan\n* Load-intensive scans should be avoided.\n* When signing up for any Zooplus account, please use your [user]@wearehackerone.com address\n\u003e* Please email bugbounty@zooplus.com to request an account if you do not have one and are unable to create one\n\u003e* Make sure to include your HackerOne email address in the request\n\u003e* We will try and get back to you within 5 business days\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing email best practices (only Invalid, incomplete or missing DKIM/DMARC records)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Self-XSS are out of scope if could not be chained with another kind of attack that not require social engineering.\n* Social media account takeover\" findings can be only rewarded once, as the we have tens of millions of pages needing checks. We'd appreciate it if all found links to accounts are provided in one ticket. \n* Only accept users leaks that include Z+ Employees or 3rd party credentials, like logistics companies. Accounts from voting pools, Kanban boards and other kind of tools used by developers under their own reason are not part of that, unless internal Z+ information is leaked thru it. We also accept leaks from Z+ customers only if comes from leaks generated IN zooplus, or other of the domains in the program, site, of course the way that this leak was obtained must be included in the report. We do not accept leaks obtained with virus, trojans, browser leaks.... directly from the customers as is not a Z+ Leak. Of course we appreciate any report of that as a good faith from all the community and we always tried to be as gratefull as company policies allowed us.\n* We could not accept TLD reports that are not associated with our organization or not reserved by our business as security risk.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contact\nIf you have any questions or run into blockers while testing, please email bugbounty@zooplus.com to get in touch with our team.\n\nThank you for helping keep Zooplus and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-26T09:36:17.732Z"},{"id":3752377,"new_policy":"#Zooplus \nFounded in 1999, zooplus SE is today Europe’s leading retailer for pet supplies on the Internet. In terms of sales, zooplus ranks amongst the best in the European market, which includes both bricks-and-mortar and online retailing of pet supplies. With millions of active customers, zooplus’ compelling USP includes attractive pricing, broad selection and high-quality delivery.\n\nWe look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe!\n\n# Response Targets\nZooplus will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, it is prohibited to discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction or mass exfiltration of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Zooplus is in EU and some services are only available by Geo IP in Europe. To avoid problems in your test, please use a VPN with termination in an EU country.\n\n# Test Plan\n* Load-intensive scans should be avoided.\n* When signing up for any Zooplus account, please use your [user]@wearehackerone.com address\n\u003e* Please email bugbounty@zooplus.com to request an account if you do not have one and are unable to create one\n\u003e* Make sure to include your HackerOne email address in the request\n\u003e* We will try and get back to you within 5 business days\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing email best practices (only Invalid, incomplete or missing DKIM/DMARC records)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Self-XSS are out of scope if could not be chained with another kind of attack that not require social engineering.\n* Social media account takeover\" findings can be only rewarded once, as the we have tens of millions of pages needing checks. We'd appreciate it if all found links to accounts are provided in one ticket. \n* Only accept users leaks that include Z+ Employees or 3rd party credentials, like logistics companies. Accounts from voting pools, Kanban boards and other kind of tools used by developers under their own reason are not part of that, unless internal Z+ information is leaked thru it. We also accept leaks from Z+ customers only if comes from leaks generated IN zooplus, or other of the domains in the program, site, of course the way that this leak was obtained must be included in the report. We do not accept leaks obtained with virus, trojans, browser leaks.... directly from the customers as is not a Z+ Leak. Of course we appreciate any report of that as a good faith from all the community and we always tried to be as gratefull as company policies allowed us.\n* We could not accept TLD reports that are not associated with our organization or not reserved by our business as security risk.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contact\nIf you have any questions or run into blockers while testing, please email bugbounty@zooplus.com to get in touch with our team.\n\nThank you for helping keep Zooplus and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-26T06:56:40.724Z"},{"id":3752371,"new_policy":"NEW UPDATE\n--------\n\nIt appears that there may have been some misunderstanding regarding our “*.zooplus.*” scope, which was intended to encompass all of our shops across our 837 domains. Some researchers, perhaps unintentionally, expanded the wildcards in an attempt to claim bounties from assets that do not exist. As a result, we find it necessary to revert to a more defined scope. We appreciate your understanding and cooperation in this matter. Thank you.\n\n\n#Zooplus \nFounded in 1999, zooplus SE is today Europe’s leading retailer for pet supplies on the Internet. In terms of sales, zooplus ranks amongst the best in the European market, which includes both bricks-and-mortar and online retailing of pet supplies. With millions of active customers, zooplus’ compelling USP includes attractive pricing, broad selection and high-quality delivery.\n\nWe look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe!\n\n# Response Targets\nZooplus will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, it is prohibited to discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction or mass exfiltration of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Zooplus is in EU and some services are only available by Geo IP in Europe. To avoid problems in your test, please use a VPN with termination in an EU country.\n\n# Test Plan\n* Load-intensive scans should be avoided.\n* When signing up for any Zooplus account, please use your [user]@wearehackerone.com address\n\u003e* Please email bugbounty@zooplus.com to request an account if you do not have one and are unable to create one\n\u003e* Make sure to include your HackerOne email address in the request\n\u003e* We will try and get back to you within 5 business days\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing email best practices (only Invalid, incomplete or missing DKIM/DMARC records)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Self-XSS are out of scope if could not be chained with another kind of attack that not require social engineering.\n* Social media account takeover\" findings can be only rewarded once, as the we have tens of millions of pages needing checks. We'd appreciate it if all found links to accounts are provided in one ticket. \n* Only accept users leaks that include Z+ Employees or 3rd party credentials, like logistics companies. Accounts from voting pools, Kanban boards and other kind of tools used by developers under their own reason are not part of that, unless internal Z+ information is leaked thru it. We also accept leaks from Z+ customers only if comes from leaks generated IN zooplus, or other of the domains in the program, site, of course the way that this leak was obtained must be included in the report. We do not accept leaks obtained with virus, trojans, browser leaks.... directly from the customers as is not a Z+ Leak. Of course we appreciate any report of that as a good faith from all the community and we always tried to be as gratefull as company policies allowed us.\n* We could not accept TLD reports that are not associated with our organization or not reserved by our business as security risk.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contact\nIf you have any questions or run into blockers while testing, please email bugbounty@zooplus.com to get in touch with our team.\n\nThank you for helping keep Zooplus and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-25T21:51:21.965Z"},{"id":3752235,"new_policy":"NEW UPDATE\n--------\n\nIt appears that there may have been some misunderstanding regarding our “*.zooplus.*” scope, which was intended to encompass all of our shops across our 837 domains. Some researchers, perhaps unintentionally, expanded the wildcards in an attempt to claim bounties from assets that do not exist. As a result, we find it necessary to revert to a more defined scope. We appreciate your understanding and cooperation in this matter. Thank you.\n\n\n#Zooplus \nFounded in 1999, zooplus AG is today Europe’s leading retailer for pet supplies on the Internet. In terms of sales, zooplus ranks second in the overall European market, which includes both bricks-and-mortar and online retailing of pet supplies. In 2019, a sales volume of 1.5 billion euros was achieved. With more than 7 million active customers, zooplus’ compelling USP includes attractive pricing, broad selection and high-quality delivery.\n\nWe look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe!\n\n# Response Targets\nZooplus will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, it is prohibited to discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction or mass exfiltration of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Zooplus is in EU and some services are only available by Geo IP in Europe. To avoid problems in your test, please use a VPN with termination in an EU country.\n\n# Test Plan\n* Load-intensive scans should be avoided.\n* When signing up for any Zooplus account, please use your [user]@wearehackerone.com address\n\u003e* Please email bugbounty@zooplus.com to request an account if you do not have one and are unable to create one\n\u003e* Make sure to include your HackerOne email address in the request\n\u003e* We will try and get back to you within 5 business days\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing email best practices (only Invalid, incomplete or missing DKIM/DMARC records)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Open redirect - unless an additional security impact can be demonstrated\n* Self-XSS are out of scope if could not be chained with another kind of attack that not require social engineering.\n* Social media account takeover\" findings can be only rewarded once, as the we have tens of millions of pages needing checks. We'd appreciate it if all found links to accounts are provided in one ticket. \n* Only accept users leaks that include Z+ Employees or 3rd party credentials, like logistics companies. Accounts from voting pools, Kanban boards and other kind of tools used by developers under their own reason are not part of that, unless internal Z+ information is leaked thru it. We also accept leaks from Z+ customers only if comes from leaks generated IN zooplus, or other of the domains in the program, site, of course the way that this leak was obtained must be included in the report. We do not accept leaks obtained with virus, trojans, browser leaks.... directly from the customers as is not a Z+ Leak. Of course we appreciate any report of that as a good faith from all the community and we always tried to be as gratefull as company policies allowed us.\n* We could not accept TLD reports that are not associated with our organization or not reserved by our business as security risk.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contact\nIf you have any questions or run into blockers while testing, please email bugbounty@zooplus.com to get in touch with our team.\n\nThank you for helping keep Zooplus and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-24T09:05:00.392Z"}]