Before submitting a claim, please read some of the guidelines and scope of the program.
If you have other issues with your account, please use the links or contacts below for help.
Account was compromised or help with accounts: https://help.zoominfo.com/ or helpmenow@zoominfo.com or contact your account rep directly
Accessing another person’s account while logged into your account violates a number of laws and can be seen as a breach of your contract.
Bug Bounty Scope
Included applications in the ZoomInfo suite of products and services:
Vulnerabilities in third-party libraries that integrate with ZoomInfo are within scope only where the vulnerability must have some potential impact on ZoomInfo user data or systems (e.g. access token disclosure).
Vulnerabilities identified by another person or by an organization will not be eligible for the Bug Bounty program.
Qualifying Vulnerabilities
Any issue that affects the integrity or confidentiality of user data, would likely be considered in scope. Some examples include:
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Mixed-content scripts
Authentication or authorization flaws
Server-side code execution bugs
Out-of-scope activities:
Any of the following (or related) activities, will be automatically considered out of scope for the bug bounty program:
Dangling DNS records related issues
Web/DNS cache poisoning
Banner or version disclosure of servers/softwares
Use of outdated/vulnerable softwares/components versions (without evidence of the exploitation)
Default configuration files which do not disclose sensitive information
Descriptive error messages and debugging information (stack traces, path disclosure, etc.)
HTTP Security headers related issues (including X-Frame-Options and Clickjacking, content-security-policy, x-xss-protection, etc.)
Lack of Secure and HttpOnly flags on non-sensitive cookies.
Enabled OPTIONS/TRACE HTTP methods
Content injection or “HTML injection” unless you can clearly show risk
Self Cross-Site Scripting (aka Self XSS)
Cross-Site Request Forgery (CSRF) for non-sensitive or significant actions (logout, etc.)
Cross-Site Request Forgery (CSRF) on features which available to anonymous users
Lack of brute force protection on login pages and forms
Missing (or bypass) of rate limit mechanisms
Account lockout enforcement
Users enumeration via error messages of failed login attempts
Failure to invalidate session on 2FA implementation or on password change
Lifetime duration or invalidation of “sign-up” or “reset password” tokens
User session duration or invalidation
Spam or social engineering (phishing) attacks
Exploits that require (or partly require) physicals access to the target external device/account or unlikely user interaction
SMTP Policy related issues (including SPF, DKIM and DMARC)
Theoretical subdomains takeovers claims with no supporting evidence
Email/SMS flooding attacks
Denial-of-service (DoS) attacks
Distributed DoS (DDoS)
Other third-party apps or websites that integrate with ZoomInfo that are not relevant to our component integration
Outdated and non-supported mobile applications
Weak TLS version and insecure SSL/TLS ciphers
Certificates related issues
Bugs which do not affect and exploitable on the latest version of modern browsers
Reports lacking evidence of the exploitability (PoC which actual demonstrate the compromise is required)
Bugs Zoominfo already aware of (or previously submitted by another researcher)
False Positives:
Reported findings missing part or all the proof of potential exploit, or whether the finding cannot be reproduced, will be considered as a false positive.
Bug Bounty Reporting
Reporting your findings and how you found the bug/vulnerability must be noted down:
What you have found in detail so we can investigate your claim thoroughly
Steps and what you saw
What you are able to see or do
Can see or extract data which is not yours
Connect as another user
Connect to systems that are not included in the direct use of the service
Anything else you think is needed in evaluating your claim.
Bug Bounty Rules of Engagement
We appreciate the value a Security Analyst brings as an independent, spending time testing systems to help companies like ZoomInfo improve their security posture. Rules of engagement include the following but are not limited these:
You do not exploit a security issue you discover for any reason other than to validate your finding.
You only use an account you are assigned and not one that is not yours.
You are able to demonstrate the vulnerability found is yours and no other third party identified it.
You are not paid for testing our products and services.
You provide us sufficient time to investigate and mitigate the vulnerability.
You do not post the vulnerability for others to take advantage of it prior to us closing it.
Report a security bug that identifies a vulnerability in our services or infrastructure which creates a security or privacy risk.
Report a security bug that no other person or companies has already issued before you.
Report your finding without undue delay.
Your vulnerability can be verified by our team to be an actual valid bug/vulnerability that can be exploited.
Meet all the criteria as outlined in this bug bounty program. We reserve the right to report this event and activity as we see fit.
We may retain any communications about security issues you report for as long as we deem necessary for program purposes.
Changes, adjustments, outsourcing or cancellation may be made at any time without notice.
All bounty awards are permitted by applicable laws, including (but not limited to) US trade sanctions and economic restrictions.
Payments
Whether we will pay any award in response to a report of a vulnerability affecting our products and services is completely under ZoomInfo management discretion. Factors that will influence our award decision include but are not limited to:
Our ability to verify the vulnerability and ensure that it is remediated, the extent of the potential impact the vulnerability could have on ZoomInfo user data or systems if not closed.
Bounties are completely under ZoomInfo management discretion are based on risk, impact, and a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of your findings.
Note that extremely low-risk issues may not qualify for a bounty at all unless your finding leads us to discover higher-risk vulnerabilities, we may, at our sole discretion, pay an increased award. A payment will require you to provide the following detail:
Full Name
ID Number
Country of residence
Tax number if available
Phone number
Address
Payments will be made using Amazon Gift cards.
Disclaimer:
The following criteria must be met in order to participate in the ZoomInfo Bug Bounty Program.
You are not a resident of a U.S. Government embargoed country.
You are not on a U.S. Government list of sanctioned individuals.
You are 18 years or older.
You are not currently nor have been an employee of ZoomInfo Corporation or subsidiary.
You are reporting as an individual and not part of a company.
You or any member of your family is not under any contracting agreement with ZoomInfo or a subsidiary and has not been for the past 6 months.
You did not and will not access any personal information that is not your own, including exploiting the vulnerability.
You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information.
Your country of residence may have Local laws adding restrictions on your eligibility to participate in the bug bounty.
You provide the necessary payment and identity information to enable us to validate the above information.