Disclose a Vulnerability
The information on this page is intended for security researchers interested in responsibly reporting security vulnerabilities to the Zscaler security team.
Vulnerability Disclosure Program
Last Updated: September 21, 2022
Introduction
Security requires transformation, and there’s no better way to transform a security program than to engage directly with our users. This engagement, along with a strong belief in collaboration with the security community, is key to maintaining a secure environment for all our users.
If you believe you've discovered a security vulnerability on or within a Zscaler product, service, or application, we encourage you to inform us as soon as possible. We ask that you keep such reports private until we’ve resolved the issue.
In return, we’ll work to review reports and respond in a timely manner. Our bug bounty partner, Bugcrowd, will engage with you initially to triage your submission. Zscaler will not seek judicial or law enforcement remedies against you for identifying security issues as long as you (1) comply with the policies set forth herein; (2) comply with Bugcrowd’s Standard Disclosure Terms; (3) do not compromise the safety or privacy of our users; (4) do not destroy any sensitive data you might have gathered from Zscaler as part of your research once issues are resolved; and (5) agree to and comply with Zscaler's Confidentiality terms below.
Confidentiality
By engaging or participating in this program and/or submitting a security vulnerability to Zscaler, you agree to comply with the following confidentiality provisions.
“Confidential Information” means (i) all Zscaler information obtained during security testing or via your participation in the Zscaler Vulnerability Disclosure Program, (ii) all information disclosed to you in connection with the Bugcrowd Bounty Brief, and (ii) all submissions by you. You are not granted any rights in Zscaler’s Confidential Information or intellectual property by engaging in any testing or participating in Zscaler’s Vulnerability Disclosure Program.
Confidential Information does not include information that (i) is or becomes publicly available through no fault of your own and without breaching these provisions, (ii) is independently developed without use of or reference to Confidential Information, or (iii) is or becomes known by you from a source not bound by confidentiality restrictions.
Before engaging in any testing or submitting findings, you agree (i) to hold Confidential Information in strict confidence, (ii) to protect such Confidential Information from unauthorized use or disclosure, (iii) to not disclose such Confidential Information to any third party including the public, (iv) to not use such Confidential Information for any purpose outside the scope of participating in Zscaler’s Vulnerability Disclosure Program, and (v) to notify Zscaler immediately upon discovery of any loss or unauthorized disclosure of Confidential Information. Notwithstanding the foregoing, you may disclose Zscaler’s Confidential Information to Zscaler or to Bugcrowd via the Bugcrowd partner portal.
Thanks for your help!
Vulnerability program scope and rules
In scope
We’re primarily interested in hearing about the following vulnerability categories:
- Sensitive data exposure—cross-site scripting (XSS) stored, SQL injection (SQLi), etc.
- Authentication- or session management-related issues
- Remote code execution
- Particularly clever vulnerabilities or unique issues that don’t fall into explicit categories—show us your fancy footwork!
Out of scope
You should avoid the following vulnerability categories, which are outside the scope of our responsible disclosure program:
- Denial of service (DoS)—through network traffic, resources exhaustion, or other methods
- User enumeration
- Issues only present in old browsers/plugins or end-of-life software browsers
- Phishing or social engineering of Zscaler employees, users, or clients
- Systems or issues that relate to third-party technology used by Zscaler
- Disclosure of known public files and other information disclosures that aren’t a material risk (e.g., robots.txt)
- Any attack or vulnerability that hinges on a user’s computer first being compromised
You’re expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you shouldn’t use it to test the extent of access it grants or to download or exfiltrate data to prove it’s active. Similarly, if you discover a successful SQL injection, you’re expected not to exploit the vulnerability beyond any initial steps needed to demonstrate your proof of concept.
Excessive exfiltration or downloading of Zscaler data, or demanding payment in return for destruction of Zscaler data, will be considered outside of the scope of this program, and Zscaler will reserve all its rights, remedies, and actions to protect itself and its users.
Vulnerability rewards
If your vulnerability report affects a product or service within scope, you may receive a bounty award. If you’re a Bugcrowd researcher, you can claim your submission below for kudos points. If you’re interested in helping us in a more dedicated manner as a security researcher in our Private Program, please contact [email protected] with your request and justification.
Zscaler retains sole discretion in determining which submissions are qualified for bounty rewards.
Reporting a security vulnerability
Please use our form to report security vulnerabilities to Zscaler through our Bugcrowd partner portal. Zscaler generally scores vulnerabilities based on the CVSS score.