This vulnerability disclosure process applies to any vulnerabilities you are considering reporting with regard to Ziff Davis and its portfolio of brands (the “Organization”).
We recommend reading this document fully before you report a vulnerability and always acting in compliance with it.
We are committed to maintaining the security of our systems and our customers’ information. We value those who take the time and effort to responsibly report security vulnerabilities according to the guidance in this document. Doing so makes our products and our customers safer. However, at this time we do not operate a public bug bounty program and we do not offer monetary rewards or compensation in exchange for vulnerability disclosures.
In your report please include details of:
- The location of the vulnerability (or the endpoint or URL with the vulnerability), which may require the software product name, version, and platform or the website address where the vulnerability can be observed.
- A brief description of the type of vulnerability, for example; “XSS vulnerability on <domain name>”.
- Steps to reproduce the vulnerability. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities.
What to expect
After you have submitted your report, we will acknowledge (and/or provide an initial response to) your report within 10 working days. We’ll also aim to keep you informed of our progress.
Priority for remediation is assessed by looking at the impact, severity, and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to inquire about the status but should avoid doing so more than once every 7 days. This allows our teams to focus on remediation.
We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.
Once your vulnerability has been resolved, we welcome requests to disclose your report. We would like to unify our guidance, so please do continue to coordinate a public release with us.
You must NOT:
- Break any applicable laws or regulations.
- Access unnecessary, excessive or significant amounts of data.
- Modify data in the Organization's systems or services.
- Use high-intensity, invasive, or destructive scanning tools to find vulnerabilities.
- Attempt any form of denial of service, e.g. overwhelming a service with a high volume of requests, or resource exhaustion attacks.
- Disrupt the Organization's services or systems.
- Communicate any vulnerabilities or associated details other than by means described above in this document.
- Social engineer, ‘phish’ or physically attack the Organization's staff or infrastructure unless specifically engaged to do so by Ziff Davis.
- Demand financial compensation in order to disclose any vulnerabilities.
- Please be aware that while we may accept reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers, these will generally be considered lower in priority and may not receive a response.
- As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow BugCrowd's disclosure guidelines: (https://docs.bugcrowd.com/researchers/reporting-managing-submissions/disclosure/).
Out of scope vulnerabilities
When reporting vulnerabilities, please consider the following: (1) attack scenario/exploitability, and (2) security impact of the bug.
The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or brute-force issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors).
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
- Always comply with data protection rules and must not violate the privacy of any data the Organization holds. You must not, for example, share, redistribute, or fail to properly secure data retrieved from the systems or services.
- Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
This policy is designed to be compatible with common vulnerability disclosure good practices. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the Organization or partner organizations to be in breach of any legal obligations.
Please note that this program should not be construed as encouragement or permission to perform any of the following activities:
- Hack, penetrate, or otherwise attempt to gain unauthorized access to Ziff Davis’ or it’s subsidiaries’ applications, systems, or data in violation of applicable law;
- Download, copy, disclose or use any proprietary or confidential data belonging to the Organization, including customer data; and
- Adversely impact the Organization or the operation of the Organization’s applications or systems.
The Organization does not waive any rights or claims with respect to such activities.
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.