At Zoho, keeping customer information safe and secure is our number one priority
Zoho offers this Vulnerability Reward Program (VRP) to continuously improve the security of our products. If you believe you have discovered a potential security vulnerability in any of Zoho's products or assets, let us know immediately, and we will make every effort to get the issues addressed as quickly as possible.
Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules. Zoho provides monetary rewards to vulnerability reporters at its discretion and the reward may vary based upon metrics including (but not limited to) vulnerability severity, impact, and exploitability.
You can share details of the suspected vulnerability with Zoho by clicking below:
Terms
These Bug Bounty Terms and Conditions ("Bug Bounty Terms") govern your participation in the Zoho Bug Bounty Program ("Bug Bounty Program") and are a legally binding contract between you or the company you represent and Zoho. By submitting a vulnerability or participating in the program, you agree to be bound by the Terms.
Bug Bounty Program
The Bug Bounty Program enables you to submit security bugs or vulnerabilities discovered by you in eligible Zoho Services and earn rewards for your submissions.
SCOPE and EXCLUSIONS
In Scope:
- All Zoho branded products and applications listed at zoho.com
- All ManageEngine branded products and applications listed at manageengine.com
- Site24x7
- Qntrl
- TrainerCentral
- Vani
- Arattai
- Ulaa Browser
- Zakya
- Zoho Corporation owned assets
Exclusions:
- Self XSS
- Email bombing
- Username or email enumeration
- Logout or unauthenticated CSRF
- Clickjacking on non-sensitive pages
- Social engineering
- Hosting malware/arbitrary content
- Presence of EXIF data in uploads
- Use of known vulnerable components without exploit
Bounty Tiers
| Severity | Bounty (Up to) |
|---|---|
| Low | $50 |
| Medium | $200 |
| High | $800 |
| Critical | $3000 |
Note of Thanks
We would like to truly thank the people listed in the Hall of Fame for their participation in the program and for making a responsible disclosure of the vulnerabilities.