SEVERITY OF VULNERABILITY
- Low impact, medium likelihood
- Medium impact, low likelihood
ZETRIX is committed to protecting our users data by safeguarding their information from unwarranted disclosure.
This policy applies to the following systems and services that handles sensitive user data. This includes:
Any service which is not listed here are considered out-of-scope and are not authorized for testing. The scope of the ZETRIX system and services covered by this policy will be periodically updated. If vulnerability discovered in third-party asset, the security researcher should report directly to the vendor in accordance with vendor disclosure policy (if any). If a security researcher aren’t sure whether a system is in scope or not, please contact us at [email protected]
By participating in ZETRIX VDP programme, security researchers agree to adhere with ZETRIX Code of Conduct (CoC), listed as below:
To report vulnerability, security researcher are required to consider (1) attack scenario/exploitability and the (2) security impact of the bug. Any of the following actions could result in permanent exclusion from the disclosure programme, as well as a criminal and/or legal investigation.
We do not tolerate any behaviors that may negatively damage other ZETRIX users' experiences on our system and services. We accept only manual or semi-manual tests. All findings coming from automated tools or scripts will be considered out of scope.
The following classes of vulnerabilities are of particular interest to us, and are eligible for attribution upon review:
ZETRIX may offer monetary recognition for vulnerability reports that have a significant business impact on our users, products, or services. Rewards for qualifying findings will range from ZTX 100 to ZTX 10,000 in appreciation for your help.
Note. ZTX is a ZETRIX issued native currency
Eligibility for monetary recognition is determined by calculating the internal severity of a finding against the potential impact to ZETRIX and its userbase. We reserve the right, in our sole discretion, to determine vulnerability qualification for a monetary reward.
The following rules apply if the issue is deemed to be valid and significant:
Earn 100 - 500 ZTX coins
SEVERITY OF VULNERABILITY
Earn 500 - 1,000 ZTX coins
SEVERITY OF VULNERABILITY
Earn 1,000 - 2,000 ZTX coins
SEVERITY OF VULNERABILITY
Security researchers are recommended to share details of any suspected vulnerabilities across any asset owned, controlled, or operated by ZETRIX (or identified as giving a security impact to the ZETRIX and our user) via electronic mail [email protected] and include the following information in your report:
Disclaimer: In regards to the above, please note the following:
If necessary, you may use our PGP public key to encrypt your communication with us.
Reports may be submitted anonymously. Alternatively, a security researcher may provide contact information as well as any preferred communication methods or times of day to communicate, as they see fit.
ZETRIX will make a best effort to meet the following response targets for security researcher participating in our programme:
* ZETRIX calculates severity based on CVSS 3.0, business impact and environment
Testing activities conducted in accordance with the ZETRIX VDP programme regulation are protected by Safe Harbor, meaning we will not initiate legal action against you. However, if you violate the rules, ZETRIX retains all other rights and remedies available to it at law, including the rights to seek legal action or law enforcement notice. Security researcher are expected, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what our VDP programs permit.
Thank you for helping us keep Zetrix's user and data safe.