Zolostays Bug Bounty Program
Zolo Engineers Work hard to make our products safe for our customers. We Invite reports from independent security researchers about possible security vulnerabilities with our products
Bug bounty program is paused from Dec 1, 2021 to Feb 28, 2022. Please check this page for any future updates
Guidelines for submitting the Vulnerabilities
Don’t attempt to gain access to another user’s account or data.
Don’t perform any attack that could harm the reliability/integrity of our services or data.
DDoS/spam attacks are not allowed.
Don’t publicly disclose a bug before it has been fixed.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Please submit bugs with POC to email addresstech-security@zolostays.com
Hall of Fame
Mohith Kalyan
Sudhanshu Chauhan
Tinu Tomy
Vishal Yadav
Mansouri Badis
Saikat Banerjee
Shahrukh Iqbal Mirza
Devender Rao
Akhil Jain
Erik
Sai Ram Ganji
Chakka Sai Teja
Anurag Verma
Mohith Kalyan
Sudhanshu Chauhan
Tinu Tomy
Vishal Yadav
Mansouri Badis
Saikat Banerjee
Shahrukh Iqbal Mirza
Devender Rao
Akhil Jain
Erik
Sai Ram Ganji
Chakka Sai Teja
Anurag Verma
Eligibility for the reward
The security bug must be original and previously unreported.
You must not be an employee, contractor, or otherwise, have a business relationship with Zolo
We should be able to reproduce the bug.
It is entirely at our discretion to decide whether a bug is significant enough to be eligible for a reward.
Following vulnerabilities are eligible for a reward
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Code Executions
SQL injections
Server Side Request Forgery (SSRF)
Privilege Escalations
Authentication Bypasses
File inclusions (Local & Remote)
Protection Mechanism bypasses (CSRF bypass, etc.)
Leakage of sensitive data
Directory Traversal
Payment manipulation
Administration portals without an authentication mechanism
Open redirects which allow stealing tokens/secrets
Following vulnerabilities are not eligible for a reward
Clickjacking
Application stack traces (Path disclosures, etc.)
Self-type Cross Site Scripting / Self-XSS
Vulnerabilities that require Man in the Middle (MiTM) attacks
Denial of Service attacks
CSRF issues on actions with minimal impact
Cache Poisoning
Missing SPF records
Brute force attacks
Zolo Stays in 
Zolo Stays in
Zolo Stays in
Zolo Stays in
Zolo Stays in
Zolo Stays in
Zolo Stays in
Zolo Stays in
Zolo Stays in
