The purpose of this document is to outline the processes and rules guiding the communication and reward process related to vulnerability reports which external security researchers provide.
The bug bounty program is limited to vulnerabilities affecting the ZEBEDEE products, APIs/SDKs, platform, or general infrastructure. The vulnerabilities affecting third-party hosted platforms, applications, and games, are not included in the scope of this program.
The CTO is responsible for the reward mechanism, with the support of the ZEBEDEE operations and engineering teams that will evaluate the vulnerability and will pay the reward.
Security researchers must fill out the following form with as much detail as possible https://zeb.gg/vulnerability-report
A specific format of the vulnerability report is expected to enable the right processing. The language correctness and the clarity of associated evidences must be respected.
The format expects description, reproduction steps and evidences to be clearly separated to ease the processing step. Standard UTF-8 characters are expected to ease the transfer from the communication channel to the internal channels.
Multiple criteria must be fullfilled for a vulnerability to be rewarded: