Zynga - Whitehat Points

  • Points per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

80 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

Latest hall of famers

Recently joined this program

472 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Zynga Inc. is an American social game developer running social video game services.

Zynga invites you to test and help secure our publicly accessible web presence and games. We're highly interested in knowing about any vulnerabilities that may extend to any web-based property we own/control (online games, etc). We appreciate your efforts and hard work in making the internet more secure and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


Ratings:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.

Targets

In scope

Target name Type
Zynga branded games - ioS iOS
Zynga branded games - Android Android
Zynga branded games - Windows Other
zynga.com Website
zyngagames.com Website

Any game or FQDN domain/property of Zynga not listed in the targets section is out of scope. This includes any/all subdomains not listed above. Non-Zynga managed services (Third-Party) services integrated with, or used by Zynga games on non-Zynga FQDN DNS domains are out of scope. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Target info:

Zynga Services Info:

Access

Researchers are free to self-provision or utilize any existing accounts they own - DO NOT test against any accounts you do not expressly own. If/when registering for testing purposes, please do so using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

Testing Notes:

  • When testing or submitting against any forms that may go to a person on the other end (e.g. contact, support, etc), please be sure to include "Bugcrowd Testing -- Disregard" with your payloads.
  • When testing against any forms that may result in publicly facing content (e.g. "as a question" - please delete your post immediately after you've reviewed the outcome of your attempted attack). e.g. on community pages, etc
  • Note that you're free to self-provision any accounts that you're able to (e.g. community, etc).

No pre-provisioned accounts will be provided for this program.


Out of Scope:

Non-Zynga managed services (Third-Party) services integrated with, or used by Zynga games on non-Zynga FQDN DNS domains

API vulnerabilities in the following areas:

  • Information disclosure of non-PI/PII routine account data used for multi-player communication
  • Claims that API keys are hardcoded in mobile apps image, but without any proof of exploit and explicit use for complete end-to-end API authentication handshake to Zynga production services.
  • Bugs filed against APIs and endpoints that the game does not use in the normal course of end-user operation and usage.

Infrastructure-only vulnerabilities not affecting the application code-base, including but not limited to:

  • SMTP issues such as missing email DMARC or SPF
  • Transport Security: TLS protocol vulnerabilities or configuration issues

Identity Management vulnerabilities that do not result in a true and complete Customer account hijack (takeover) of a secondary account, including, but not limited to:

  • Missing rate limiting on password or credentials reset
  • Session invalidation upon password and/or credentials resets
  • Workflow issues surrounding updating or changing login ID/string (email)
  • Session time-outs
  • Password complexity issues

Bug vulnerability filing that are:

  • Filed in duplicate bugs whose vulnerabilities are using a common service, or codebase, and where the fix is applied to only one service, or one common code base or library to remediate
  • Filed in duplicate for the same service endpoint (HTTP-TLS + HTTP) URI paths to the SAME resource
  • Filed without screenshots and videos for proof of concept, and/or without the artifacts and evidence

Program rules

This program follows Bugcrowd’s standard disclosure terms.