At Zoho, keeping customer information safe and secure is our number one priority
Zoho offers this Vulnerability Reward Program (VRP) to continuously improve the security of our products. If you believe you have discovered a potential security vulnerability in any of Zoho's products or assets, let us know immediately, and we will make every effort to get the issues addressed as quickly as possible.
Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules. Zoho provides monetary rewards to vulnerability reporters at its discretion and the reward may vary based upon metrics including (but not limited to) vulnerability severity, impact, and exploitability.
These Bug Bounty Terms and Conditions ("Bug Bounty Terms") govern your participation in the Zoho Bug Bounty Program ("Bug Bounty Program") and are a legally binding contract between you or the company you represent and Zoho. By submitting a vulnerability or participating in the program, you agree to be bound by the Terms.
Bug Bounty Program
Bug Bounty Program Eligibility
Participation in the Bug Bounty Program is open to all individuals unless:
You are below 14 years of age. If you are 14 years old or above, but you are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to your participation in the Bug Bounty Program after having read the Bug Bounty Terms;
You are a resident of any US sanctioned countries;
You are currently an employee of Zoho or you were employed by Zoho within six (6) months prior to your participation in the Bug Bounty Program; or
You are a family member of a Zoho employee.
Responsible Research and Disclosure
You will follow the rules specified hereunder, failing which your participation in the Bug Bounty Program will be immediately terminated.
You will make all efforts to avoid privacy violations, degradation of user experience, degradation of Zoho Services, disruptions to Zoho's infrastructure and systems, and destruction of both Zoho's and users' data in the course of your security bug research.
You will report any security bug discovered by you ("Security Bug") to Zoho and provide Zoho with reasonable time to identify and mitigate the security bug before publicly disclosing it to others.
During your security bug research, if you have any inadvertent access to Zoho's or users' information, including sensitive, personal, or any other unauthorized information ("Unauthorized Information"), you must cease your Security Bug research to prevent further access to any Unauthorized Information by you and notify Zoho of any Unauthorized Information you accessed. Upon notifying Zoho of such access, delete all Unauthorized Information from your systems or devices.
You will always use your account, or an account for which you have explicit consent from the account owner, for testing the Security Bug.
You will use any security bug discovered by you only for testing, and you will not exploit the Security Bug in any manner.
Submission of Bugs
If you have discovered an eligible security bug as specified in the scope, you may submit the bug through the website provided to you for submission.
Your submission shall include details such as vulnerability description, clear reproduction steps, and a proof-of-concept.
Review of Submission
Upon receipt of your submission, Zoho will review and validate the submission within three (3) days from the date of your submission and will prioritize based on the severity of the vulnerability submitted and resolve the vulnerability accordingly. Zoho will notify you once the vulnerability is resolved and you may confirm whether the remedy resolves the vulnerability. If there is more than one submission for the same vulnerability from different parties, bounty will be paid to the first submission.
Bounty Payment and Procedure
Zoho will pay a reward for your eligible submissions ("Bounty"). Bounties will be determined and granted only at Zoho's discretion. You can find the reward tiers here.
Zoho will fulfill the Bounty payments through the following payment modes:
For Indian participants, in INR through wire transfer;
For participants from outside India, in USD through PayPal; or
As an Amazon gift card in USD.
You understand that you are responsible for paying the taxes associated with Bounty payments. Bounties for Indian participants will be paid only after deducting TDS of 10% (Tax Deducted at Source).
Bounties shall be claimed by you within a period of three (3) months from the date of your entitlement to the reward.
Ownership of Submission
You grant Zoho non-exclusive, irrevocable, worldwide, perpetual, and royalty-free license to review, assess, and use your submission to analyze and resolve the vulnerability submitted by you and for other related purposes.
Limitation of Liability
ZOHO SHALL IN NO EVENT BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR OTHER LOSS OR DAMAGE WHATSOEVER OR FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, COMPUTER FAILURE, LOSS OF BUSINESS INFORMATION, OR OTHER LOSS ARISING OUT OF THE BUG BOUNTY PROGRAM.
SCOPE and EXCLUSIONS
All Zoho branded products and applications listed at zoho.com
All ManageEngine branded products and applications listed at manageengine.com (except SupportCenter Plus)
Zoho Corporation owned assets
Missing any best security practice that is not a vulnerability
Username or email address enumeration
XSS vulnerabilities on sandbox or user-content domains
Unvalidated or open redirects or tabnabbing
Clickjacking in unauthenticated pages or in pages with no significant state-changing action
Logout or unauthenticated CSRF
Missing cookie flags on non-sensitive cookies
Missing security headers that do not lead directly to a vulnerability
Unvalidated findings from automated tools or scans
"Back" button that keeps working after logout
Issues that do not affect the latest version of modern browsers or platforms
Attacks that require physical access to a user device
Hosting malware/arbitrary content on Zoho and causing downloads
Use of a known-vulnerable library (without evidence of exploitability)
Low-impact descriptive error pages and information disclosures without any sensitive information
Invalid or missing SPF/DKIM/DMARC/BIMI records
Password and account policies, such as (but not limited to) reset link expiration or password complexity
Non-critical issues in blog.zoho.com or other product blogs
Phishing risk via Unicode/Punycode or RTLO issues
Missing rate limitations on endpoints (without any security concerns)
Presence of EXIF information in file uploads
Ability to upload/download executables
Bypassing pricing/paid feature restrictions
0-day vulnerabilities in any third parties we use within 10 days of their disclosure
Any other issues determined to be of low or negligible security impact
Issues that do not affect the latest version of applications, modern browsers, or platforms
Vulnerabilities that resulted from implementation that does not follow our deployment guidelines
Usage of known vulnerable components without actual working exploit
Our intended features or accepted risks (including but not limited to the following) are not vulnerabilities and are thus excluded from our program:
Applications running as SYSTEM user
Features to execute queries, scripts, or workflows by privileged users
Usage of UDP-based unauthenticated protocols (which can be disabled by the user)
Thanks for helping keep Zoho and its users safe!
Note of Thanks
We would like to truly thank the people listed in the Hall of Fame for their participation in the program and for making a responsible disclosure of the vulnerabilities.
Hall Of Fame for