Vulnerability Disclosure Program
Report Statistics

Total Reports Received

Assets in Scope

Vulnerability Disclosure Policy

ZestMoney believes responsible disclosure of any security vulnerabilities identified by security researchers is an essential part of that commitment to ensure stringent quality standards for the security of these systems. This Responsible Disclosure Policy or Vulnerability Disclosure Policy (“Policy“) is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. Responsible disclosure requires mutual trust, respect, and transparency between all members of the security community.

If you believe you have found a real or potential security vulnerability in any ZestMoney-owned software or source code, then please report it to us as soon as possible. We would like to work with you to protect our customers and our systems in a better way.

We will acknowledge receipt of your vulnerability report as soon as possible. In case your vulnerability report is a ‘valid issue’ then we will strive to send you regular updates about our progress.

If you are curious about the status of your disclosure please feel free to text us on your vulnerability report chat section. If for some reason you do not receive a response within a reasonable time from us then please follow up on your vulnerability report chat.

Disclosure Process

Researcher should always ensure to avoid any privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.

Researcher should only use exploits to the extent necessary to confirm the presence of any real or potential security vulnerability and do not use an exploit to compromise or exfiltrate data, establish persistent command-line access, or use the exploit to pivot to other systems.

Researcher should not report any security vulnerabilities through public channels or to any third parties without our prior written consent, instead, please report them to the ZestMoney Vulnerability Disclosure Program on BugBase.

We prefer all communications to be in English. Please include all the information procured like tools used, any environments you used while testing, while reporting.

Rules of Engagement

Do not exploit the vulnerability by unnecessarily copying, deleting, adapting, viewing data or downloading more data than is necessary to demonstrate the vulnerability.

Do not apply the following actions:

  • Placing malware (virus, worm, Trojan horse, etc.);
  • Copying, modifying, or deleting data in a system;
  • Making changes to the system;
  • Repeatedly accessing the system or sharing access with others;
  • Using the so-called “brute force” of access to systems;
  • Using denial-of-service or social engineering (phishing, vishing, spam, etc.).
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam, or third-party applications.
  • Immediately erase all obtained/exfiltrated data as soon as it is reported.
  • Do not perform actions that could have an impact on the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data.
  • Please do not submit a high volume of low-quality reports on security vulnerabilities.

Acts under this Responsible Disclosure Policy should be limited to conducting tests to identify potential vulnerabilities, and sharing this information with ZestMoney.

Zestmoney SLA

This SLA outlines the terms and conditions for triaging of reports.

  1. Definitions

    • “Triage” shall refer to the process of evaluating and categorizing the reports submitted by the Hacker.
    • “Hacker” shall refer to any person or entity that submits reports in accordance with this SLA.
  2. Triage Timing

    • Triage of reports will be completed as soon as practicable but there is no fixed timeline for completion of the triage process.
  3. Representations and Warranties

    • Hacker represents and warrants that all reports submitted are accurate and complete to the best of the Hacker’s knowledge and belief.
  4. Termination and Modifications

    • ZestMoney reserves the right to change the content of this Policy from time to time or terminate it all together.

Additional Information about Assets

Some additional information on ZestMoney

  • Language Frameworks: Javascript, Node.js and Go
  • Researcher Activities: Website Testing, API Testing
In Scope
Asset TypeURLLabels

Let's take your security
to the next level