Security & Vulnerability Reporting


We genuinely appreciate the efforts of security researchers and provide secure means for disclosing security vulnerabilities responsibly.

Bounty

The primary reward for reporting qualifying vulnerabilities is your name on our Security Researcher Hall of Fame page.

Additional rewards are at our discretion for distinctly creative or severe bugs. If we run into you at a security conference we'll give you a high five and tell people how awesome you are.

How do I report a vulnerability?

Please contact our Security Team at: security@zenmate.com (PGP Key on the bottom end of that page).

PLease notice that we do not answer support requests through the security email. For support rated queries, such as connectivity, incompatibility, or account related issues and questions, please contact our Support Team at: support@zenmate.com .

In a hurry? You can also find frequently asked questions and troubleshooting guides for instant self-support at ZenMate FAQs.

Rules

No unauthorized access of another individual's account or data.

No attacks that could affect the reliability / integrity of our services or data.

Please respect responsible disclosure - we will fix all valid issues as soon as we are able.

Only test for vulnerabilities on a domain owned by ZenMate. Some sites hosted on subdomains are operated by third parties should not be tested.

Don’t use scanners or automated tools to find vulnerabilities.

Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Scope

All of the following ZenMate products :

  • Browser extensions for Chrome, Opera and Firefox.
  • Desktop VPN clients for Windows and OSX.
  • Mobile VPN clients for iOS and Android.
  • All ZenMate websites.

However, the following vulnerabilities are not eligible for acceptance:

  • Missing SPF or DMARC records.
  • HttpOnly and Secure cookie flags.
  • Clickjacking.
  • Rate limiting.
  • Account enumeration.
  • Session Hijacking (cookie reuse).

Anything else we will check as soon as possible!

Please Note...

If sending your report via a video, please ensure that it isn't hosted on a public platform such as YouTube.

We do not accept bugs that have already been submitted by another user, or that we are already aware of.

Vulnerabilities that ZenMate determines to be an accepted risk will not be eligable for acceptance.

If we validate and accept your report as being non-trivial, valid and not yet reported, we will add you to our Hall of Fame.

We will respond as quickly as possible to your submission.

No legal action wil be taken if all rules are followed.

When in doubt, contact us.

Happy hunting!



-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.5

mQENBFVxZioBCAC7Z/PeNfPO01xn0z+OhcP08Cnc6NOQNcAqd9mXiuuT8wPX/W6WwOoRILIH
GMZ80V8axFVX47HXOEhCXbfCIqVKJ705YAu1GEfLJYNOPV4lX0gWXLSkR0ckpp9dSMKL6CXE
Y8poDwYpj2JCfKBkfbBV9EurHtg75+48KL72kF6QizGKL5yRk0UkqbmloVN6bbeOqqHWs+2Q
Ga70OQ93aRIZHf8IkrMRICFMLN7ulD5GIiMbDyGFqIdoKiMiVv3fDQEvyeObZ2V3ZiBq+JWV
tvk7H+RJ6CJg7UCGyGjkd4oj0uZW4LgCIAPSp27O0bgyTBKTpSSRuFTKqPB9cN1hn1cpABEB
AAG0LFplbk1hdGUgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAemVubWF0ZS5jb20+iQE4BBMB
AgAiBQJVcWYqAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBH35AjBolfomhkCAC4
YUv9sr/uASSiLrUD8LfuakXUlRLm1SkT20t4uQsGBwMIku3q+sRzILzDhXy8esTxLhHMzupo
sL0L8UeqUhMPe12/8ff5k2bVyv4qsqfwvirNgBQT/VxaQl6PKvlyTHxndWQAja64LQHs9tMT
0yuWfgIk5S36le3px6rKkJSh4ZMdA3/t9oIiFvKcGIdUQ9SHkupUZaS+kejl1tKm+8a3y2sK
tCF/DJP8Nf+4nY/+tyvTirm+Gs7bWQAi59d1TtI9Vo5mo3kHxhemtwLphIV1eTXOnxQrGcL4
MNtJv2ACPSbo5Upq++hoNq8lQxnyPUSfb/bT7lbyXqz9/ROUHXh6uQENBFVxZioBCADJJMhr
gUpbPWdjLCqkE9FgPPPaawJe4N4+cXFG5kONStBFwd07Y1eU97rFdcsWCyuuuNwf9k10iuNv
fP9QaiB9dXzpOQ/Ezs44u/Vx9BWjPAfHIkyDAIl8ZFmXelDqpg8Gw9Ggy27wF+2Ol7V/ak5N
jkSptzHSyy0UxOtUCy48AvqJfKblvtkbdXRps57+Yvkn7yrfCsHAJxRxE1hhghxq/h1qHULD
o4UOOSFhhdYFS7Riuxu8h8keKTOCZQI8mfLpRCe/lMLfyuH8m5O5FDgmKbirVejDGhbAL+UI
A2J2N2yAI/7jws4dwHaLQQqv29i2A632/D4o7v4+5C//Dm0RABEBAAGJAR8EGAECAAkFAlVx
ZioCGwwACgkQR9+QIwaJX6LCmwf/SHdUhyCnIx0pWmm9O0GssdGib70/QejFu++lIiNdCURV
h9jVBQB3ZET9twodMmEP34WqrW11TvHRB7FmgaEoH7V7oyQqJ0A4FTNHkeFtPphsFwKbfhoz
7jnJJHB9NpcWdMji5eQLv9Ag7Mbje9gBfJ3S6bvdp9e19Vb6itFlBSyoJEUVNvzGDXZnWjqC
M+sxb2xm8Mzvt1Ukza/EmFvEqy89z8+bNN0Vkx3TbIgfU8rJc3+LHkRhzsmT0VGDJDAkHaiT
93xBijFMuk/BQ5cz+UA88BZaxKyEsQg7Q/6vmORSz7OX0vYjl2m0XGs5nmZ9KIuLrwTO87+P
ckRW6khy1g==
=rqOV
-----END PGP PUBLIC KEY BLOCK-----