Bug Bounty Program

Zolo Security Bug Bounty Program

Zolo engineers work hard to make our products safe for our customers. We invite reports from independent security researchers about possible security vulnerabilities with our products.

Guidelines for submitting the vulnerabilities

  • Don’t attempt to gain access to another user’s account or data.
  • Don’t perform any attack that could harm the reliability/integrity of our services or data.
  • DDoS/spam attacks are not allowed.
  • Don’t publicly disclose a bug before it has been fixed.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Please submit bugs with POC to email address  tech-security@zolostays.com

Eligibility for the reward

  • The security bug must be original and previously unreported.
  • You must not be an employee, contractor, or otherwise, have a business relationship with Zolo
  • We should be able to reproduce the bug.
  • It is entirely at our discretion to decide whether a bug is significant enough to be eligible for a reward.
  • Following vulnerabilities are eligible for a reward
    • Cross-Site Request Forgery (CSRF)
    • Cross-Site Scripting (XSS)
    • Code Executions
    • SQL injections
    • Server Side Request Forgery (SSRF)
    • Privilege Escalations
    • Authentication Bypasses
    • File inclusions (Local & Remote)
    • Protection Mechanism bypasses (CSRF bypass, etc.)
    • Leakage of sensitive data
    • Directory Traversal
    • Payment manipulation
    • Administration portals without an authentication mechanism
    • Open redirects which allow stealing tokens/secrets


  • Following vulnerabilities are not eligible for a reward
    • Clickjacking
    • Application stack traces (Path disclosures, etc.)
    • Self-type Cross Site Scripting / Self-XSS
    • Vulnerabilities that require Man in the Middle (MiTM) attacks
    • Denial of Service attacks
    • CSRF issues on actions with minimal impact
    • Cache Poisoning
    • Missing SPF records
    • Brute force attacks

Hall of Fame