Zynga - Whitehat Points

  • Points per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

79 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Zynga Inc. is an American social game developer running social video game services.

Zynga invites you to test and help secure our publicly accessible web presence and games. We're highly interested in knowing about any vulnerabilities that may extend to any web-based property we own/control (online games, etc). We appreciate your efforts and hard work in making the internet more secure and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


Ratings:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.

Targets

In scope

Target name Type Tags
Zynga branded games - ioS iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Zynga branded games - Android Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Zynga branded games - Windows Other
  • Desktop Application Testing
  • Windows
zynga.com Website Testing
  • Website Testing
  • PHP
  • Wordpress
  • MySQL
  • jQuery
zyngagames.com Website Testing
  • Website Testing
  • PHP
  • Wordpress
  • MySQL
  • jQuery
Zynga Poker - WebGL (zyngapoker.com) Website Testing

Any game or FQDN domain/property of Zynga not listed in the targets section is out of scope. This includes any/all subdomains not listed above. Non-Zynga managed services (Third-Party) services integrated with, or used by Zynga games on non-Zynga FQDN DNS domains are out of scope. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Target info:

Zynga Services Info:

Access

Researchers are free to self-provision or utilize any existing accounts they own - DO NOT test against any accounts you do not expressly own. If/when registering for testing purposes, please do so using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

Testing Notes:

  • When testing or submitting against any forms that may go to a person on the other end (e.g. contact, support, etc), please be sure to include "Bugcrowd Testing -- Disregard" with your payloads.
  • When testing against any forms that may result in publicly facing content (e.g. "as a question" - please delete your post immediately after you've reviewed the outcome of your attempted attack). e.g. on community pages, etc
  • Note that you're free to self-provision any accounts that you're able to (e.g. community, etc).

No pre-provisioned accounts will be provided for this program.


Out of Scope:

Non-Zynga managed services (Third-Party) services integrated with, or used by Zynga games on non-Zynga FQDN DNS domains

API vulnerabilities in the following areas:

  • Information disclosure of non-PI/PII routine account data used for multiplayer communication
  • Claims that API keys are hardcoded in mobile apps image, but without any proof of exploit and explicit use for complete end-to-end API authentication handshake to Zynga production services.
  • Bugs filed against APIs and endpoints that the game does not use in the normal course of end-user operation and usage.

Infrastructure-only vulnerabilities not affecting the application code-base, including but not limited to:

  • SMTP issues such as missing email DMARC or SPF
  • Transport Security: TLS protocol vulnerabilities or configuration issues

Identity Management vulnerabilities that do not result in a true and complete Customer account hijack (takeover) of a secondary account, including, but not limited to:

  • Missing rate limiting on password or credentials reset
  • Session invalidation upon password and/or credentials resets
  • Workflow issues surrounding updating or changing login ID/string (email)
  • Session time-outs
  • Password complexity issues

Bug vulnerability filing that are:

  • Filed in duplicate bugs whose vulnerabilities are using a common service, or codebase, and where the fix is applied to only one service, or one common code base or library to remediate
  • Filed in duplicate for the same service endpoint (HTTP-TLS + HTTP) URI paths to the SAME resource
  • Filed without screenshots and videos for proof of concept, and/or without the artifacts and evidence

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.