Services in Scope
Below Zenarmor and subsidiary web services that handle sensitive user data are anticipated to be in scope:
*.dash.zenarmor.com
*.zenarmor.com
Qualifying Vulnerabilities
Cross-site scripting,
Cross-site request forgery,
Mixed-content scripts,
Authentication or authorization flaws,
Server-side code execution bugs.
Important exclusions to keep in mind
The following vulnerabilities are not eligible for bounty.
Network-level Denial of Service attacks
Application Denial of Service by locking user accounts
Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
Disclosure of known public files or directories, (e.g. robots.txt)
Outdated software/library versions
OPTIONS / TRACE HTTP method enabled
CSRF on logo
CSRF on forms that are available to anonymous users
Cookies that lack HTTP Only or Secure settings for non-sensitive data
Self-XSS and issues exploitable only through Self-XSS
Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
Attacks requiring physical access to a user's device
Attacks are dependent upon the social engineering of Zenarmor employees or vendors.
Username enumeration based on login or forgot password pages.
Enforcement policies for brute force, rate limiting, or account lockout.
SSL/TLS best practices.
SSL Attacks such as BEAST, BREACH, Renegotiation attacks.
Clickjacking, without additional details demonstrating a specific exploit.
Mail configuration issues including SPF, DKIM, DMARC settings.
Use of a known-vulnerable library without a description of an exploit specific to our implementation.
Password and account recovery policies.
Presence of autocomplete functionality in form fields.
Publicly accessible login panels.
Program Rules
Please;
- Note that the program's scope is limited to technical vulnerabilities in Zenarmor online applications; do not attempt to break into the company's offices, launch phishing attacks against our workers, or anything similar.
Be a good citizen by not interfering with the service. Follow the Terms of Service.
If you get access to our system, please notify us immediately
Do not attempt to carry out DoS attacks,
Do not Utilize black hat SEO strategies,
Do not spam individuals, or do anything else that would jeopardize the availability of our services to all users.
We also advise against using any vulnerability testing software that generates large amounts of traffic on its own. To detect vulnerabilities, avoid using scanners or automated programs. They're noisy, and your IP address may be blocked.
Do not disclose any information about the vulnerability until it has been addressed.
Rewards
Our reward amount mechanism is flexible, with no definite upper or lower limits. This implies that extremely creative or dangerous bugs will be rewarded. The amount will only be determined by the severity of the flaw.Once the vulnerability has been patched, rewards will be given via Paypal. For executing the transaction, these services charge a fee, which is taken from the amount awarded.
Report submission
Please use our dedicated form to send your report. All contributions are responded to within a few days. We'll pay your reward via Paypal once the fix is released. Please email us if you have any questions about the program. 
Please bear in mind that this reward program is solely for security flaws that allow outsiders to access the data of other users, not for typical bugs in our application.