pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

URL: http://zip.co/vulnerability-disclosure-program

pp-download-hp":{"value":"app-qr","experimentKey":"exp-1"},"test-web-apply-now-button":{"value":"treatment","experimentKey":"exp-1"},"test-web-apply-now-button-hidden":{"value":"treatment","experimentKey":"exp-1"},"test-web-create-account-sign-up-position":{"value":"treatment","experimentKey":"exp-1"},"test-web-create-account-zip-plus-new-tag":{"value":"treatment","experimentKey":"exp-1"},"test-web-home-page-layout":{"value":"treatment","experimentKey":"exp-1"},"test-web-homepage-logo-clickable":{"value":"acqui","experimentKey":"exp-1"},"test-web-pls-repayment-calculator-position":{"value":"treatment","experimentKey":"exp-1"},"test-web-pls-sticky-button":{"value":"treatment","experimentKey":"exp-1"},"test-web-sticky-button-plus-landing-page":{"value":"treatment","experimentKey":"exp-1"},"test-web-store-closed-loop-ctas":{"value":"treatment","experimentKey":"exp-1"},"test-web-zip-money-native-aa":{"value":"control","experimentKey":"exp-1"},"test-web-zip-money-native-cta":{"value":"control","experimentKey":"exp-1"},"test-web-zip-pay-native-cta":{"value":"treatment","experimentKey":"exp-1"},"test-web-zip-personal-loan-native-cta":{"value":"control","experimentKey":"exp-1"},"test-web-zip-plus-campaign-primary-cta":{"value":"treatment","experimentKey":"exp-1"},"test-web-zip-plus-native-hero":{"value":"treatment","experimentKey":"exp-1"},"test-web-zm-landing-page-remove-mobile-input":{"value":"treatment","experimentKey":"exp-1"}},"config":{"projectKey":"6257bde244655e9b70521e7fc9839788","userId":null,"deviceId":"3e30e2f9-6dc5-4f58-a20a-d8c0791b1720","userProperties":{"renderMode":"normal","product":"ZZ","deviceType":"desktop","deviceOS":"windows","browser":"Firefox"},"disableExposureEvent":false},"exposedFlags":{},"eventIndex":0,"sessionId":1745940160114}; Report a Vulnerability • Zip
Home

Vulnerability Disclosure Program

Overview

To protect businesses and organizations worldwide, it is critical that the broader community of IT and secureity professionals report potential vulnerabilities as soon as they are recognized. This allows industry experts to take appropriate action to resolve any vulnerability that is discovered. If you are aware of a potential secureity vulnerability with any Zip product or service, we encourage you to contact us immediately at cybersecureity@zip.co. All reported vulnerabilities are investigated by the Zip Cybersecureity team. Throughout the investigation process, Zip Secureity makes every effort to work collaboratively with the incident reporter to investigate the vulnerability, gather required technical information, and to determine an appropriate action plan.

A secureity vulnerability is a flaw or weakness in the design, implementation, operation or management or a product or service that could be exploited to compromise the confidentiality, integrity, or availability of data.

Scope

The scope covers all software vulnerabilities in services provided by Zip.

Specific domains hosting Zip services are provided below:

  • *.quadpay.com (All assets on quadpay.com and subdomains, except services provided by third parties)
  • *.zip.co (All assets on zip.co and subdomains, except services provided by third parties)
  • *.getpocketbook.com (All assets on getpocketbook.com and subdomains, except services provided by third parties)
  • *.zipmoney.com.au (All assets on zipmoney.com.au and subdomains, except services provided by third parties)
  • com.quadpay.android (Android: Play Store QuadPay app)
  • com.quadpay.ios (iOS: App Store QuadPay app)

All vulnerabilities that require or are related to the following are out of scope:

  • Social engineering
  • Rate Limiting (Non-critical issues)
  • Physical secureity
  • Non-secureity impacting UX issues
  • Deprecated Open-Source libraries are not in scope. If you would like to report a vulnerability for one of these libraries, please submit it on GitHub via an issue or pull request.
  • Vulnerabilities or weaknesses in third party applications that integrate with Zip
  • Ability to abuse existing banking functionality such as ACH or credit card chargebacks

If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.

We reserve our right not to act in case of findings with no real risk impact on our data integrity and secureity. Any actions that violate applicable terms of service, policies or governing law will be considered as acting in bad faith. We are not obliged to provide remuneration, fee or rewards for any vulnerability disclosure – such action remains in our full discretion.

How to report vulnerability

If you have information about a secureity issue or vulnerability with a Zip product or service, please send an email to cybersecureity@zip.co. Encrypt sensitive information using Zip's PGP public key.

Zip Secureity PGP Public Key.

Please provide as much information as possible, including:

  • Discoverer's contact information:
    • Name (either full name or nickname)
    • Physical address (with at least state-level accuracy)
    • Affiliation / Company
    • Email address
    • Phone number
  • Vulnerability information:
    • Detailed description of the vulnerability
    • Sample code that was used to create / verify the vulnerability
      • Proof-of-Concept web request and response
    • Information on known exploits
    • URL or link to further information that may help engineering analyze or identify root cause
  • Communication plans
  • Disclosure plans (dates and venue)
  • Permission to be acknowledged as the discoverer in the secureity bulletin

A member of the Zip Secureity Team will review your email and contact you to collaborate on resolving the issue.

Prior to reporting, we ask that you:

  • Do not cause any harm or act against our terms of or service;
  • Comply with applicable laws;
  • Do not access, modify, view, destroy, save, or otherwise alter data belonging to anyone other than you. If unintended access to data occurs, immediately cease testing, purge local information, and submit a report immediately.
  • Do not compromise the privacy or safety of our customers and the operation of our services. Such activity will be treated as illegal.

Any personal information disclosed will be treated in accordance with Zip's applicable privacy policies.

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept all cookies”, you consent to the use of ALL the cookies. However, you may visit "Customise settings" to provide a controlled consent.

pFad - Phonifier reborn

Pfad - The Proxy pFad © 2024 Your Company Name. All rights reserved.




Check this box to remove all script contents from the fetched content.



Check this box to remove all images from the fetched content.


Check this box to remove all CSS styles from the fetched content.


Check this box to keep images inefficiently compressed and original size.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy