Zynga Inc. is an American social game developer running social video game services.
Zynga invites you to test and help secure our publicly accessible web presence and games. We're highly interested in knowing about any vulnerabilities that may extend to any web-based property we own/control (online games, etc). We appreciate your efforts and hard work in making the internet more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Any domain/property of Zynga not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
- Zynga.com is the main site for all Zynga games
- ZyngaGames.com is a secondary site hosting online versions of a subset of Zynga games
- All Android, iOS, and Windows games are in scope
- iOS games at https://itunes.apple.com/us/developer/zynga-inc/id295913422
- Android games at https://play.google.com/store/apps/dev?id=6690081412016968981
- Games on the Windows platform
Researchers are free to self provision or utilize any existing accounts they own - DO NOT test against any accounts you do not expressly own. If/when registering for testing purposes, please do so using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.
- When testing or submitting against any forms that may go to a person on the other end (e.g. contact, support, etc), please be sure to include "Bugcrowd Testing -- Disregard" with your payloads.
- When testing against any forms that may result in publicly facing content (e.g. "as a question" - please delete your post immediately after you've reviewed the outcome of your attempted attack). e.g. on community pages, etc
- Note that you're free to self-provision any accounts that you're able to (e.g. community, etc).
No pre-provisioned accounts will be provided for this program.
- Valid and accepted submissions are eligible for our Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
Out of Scope:
- Facebook, Wordpress or other 3rd party websites or 3rd party website games are not in scope
- Missing DMARC
- Missing SPF Record
- Missing Rate Limiting Password Reset
- Failure to Invalidate Session On Password Reset and/or Change