ZAP-Hosting Bug Bounty Program

Nobody is perfect. In order to secure our services and customers, we reward reports of security vulnerabilities.

The program

Important: This program is not meant for non-security related bugs in the web interface or within one of our products. Please create a regular ticket and we will help you as soon as possible.
If the rules of the program are followed, we will not take any legal action. You should receive a first answer after a maximum of 72 hours.

Eligibility

  • You must be the first person to report the vulnerability.
  • Keep report information confidential (if you want to disclose it to the public, please get back to us).
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Don’t access any sensitive data unless needed to confirm the vulnerability (e.g. run id instead of dumping /etc/passwd). If you accessed critical data, please explain us the scenario when reporting.
  • Report the vulnerability as soon as possible after finding it.
  • Do not use automated tools (e.g. sqlmap).
  • Provide a clear PoC (demonstrating the impact) and steps to reproduce the issue.
  • Create a maximum of two accounts (should be enough to test every possible scenario).

Report & Bounty

Please report the found vulnerability by creating a ticket and selecting “Security vulnerability” as the reference. This enables us to assign your message and process it as quickly as possible. Please send us only one vulnerability per report. Note: Please do not send vulnerabilities via other channels such as the mail listed below.

In reward for helping us hardening our security and securing our customers data, we will decide on a bounty reward for your work.

Scope

  • zap-hosting.com
  • rest.zap-hosting.com
  • A server within the ZAP-Hosting network, that does not belong to a customer

Exclusions

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of ZAP-Hosting staff and data centers
  • Any physical attempts against ZAP-Hosting properties and data centers
  • Missing cookie flags on non-sensitive cookies
  • CSRF (without a clear PoC demonstrating the security impact)
  • Information disclosure of non-sensitive data
  • Descriptive error messages (e.g. stack traces or server errors)
  • Open redirects without a PoC showing a critical impact
  • Reports on outdated versions without a PoC
  • Captcha Bypass
  • Self-XSS without a PoC that demonstrates a possible impact on other users
  • Missing HTTP security headers
  • Issues just reproducible in extremely outdated web browsers
  • Recently disclosed 0-days in WordPress for example

If you think you found a vulnerability, which is listed above or not specifically in scope, but has a reasonable security impact, please feel free to report it nonetheless. We will gladly take a look at it.

In case of any questions: security@zap-hosting.com (please do not report vulnerabilities to this address)

Bug Bounty

Of course we are grateful for your work and reward you with one of the following things.

Money
ZAP Coins

Report vulnerability

You discovered a vulnerability? We are looking forward hearing from you and resolving the issue together!

Report now
VPS/Root-/Dedicated servers
Gameserver
& more
ZAP-Hosting
Contact us ..!
  • info [at] zap-hosting.com
Follow us ..!
Legal