Zynga Inc. is an American social game developer running social video game services.
Zynga invites you to test and help secure our publicly accessible web presence and games. We're highly interested in knowing about any vulnerabilities that may extend to any web-based property we own/control (online games, etc). We appreciate your efforts and hard work in making the internet more secure and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Any game or FQDN domain/property of Zynga not listed in the targets section is out of scope. This includes any/all subdomains not listed above. Non-Zynga managed services (Third-Party) services integrated with, or used by Zynga games on non-Zynga FQDN DNS domains are out of scope. If you believe you've identified a vulnerability on a system outside the scope, please reach out to email@example.com before submitting.
Zynga Services Info:
- FQDN zynga.com is the main site for all Zynga games services
- FQDN zyngagames.com is a secondary DNS domain hosting a subset of Zynga games services
- All Zynga Android, iOS and Windows games are in scope:
- iOS games at https://itunes.apple.com/us/developer/zynga-inc/id295913422
- Android games at https://play.google.com/store/apps/dev?id=6690081412016968981
Researchers are free to self-provision or utilize any existing accounts they own - DO NOT test against any accounts you do not expressly own. If/when registering for testing purposes, please do so using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.
- When testing or submitting against any forms that may go to a person on the other end (e.g. contact, support, etc), please be sure to include "Bugcrowd Testing -- Disregard" with your payloads.
- When testing against any forms that may result in publicly facing content (e.g. "as a question" - please delete your post immediately after you've reviewed the outcome of your attempted attack). e.g. on community pages, etc
- Note that you're free to self-provision any accounts that you're able to (e.g. community, etc).
No pre-provisioned accounts will be provided for this program.
Out of Scope:
Non-Zynga managed services (Third-Party) services integrated with, or used by Zynga games on non-Zynga FQDN DNS domains
API vulnerabilities in the following areas:
- Information disclosure of non-PI/PII routine account data used for multi-player communication
- Claims that API keys are hardcoded in mobile apps image, but without any proof of exploit and explicit use for complete end-to-end API authentication handshake to Zynga production services.
- Bugs filed against APIs and endpoints that the game does not use in the normal course of end-user operation and usage.
Infrastructure-only vulnerabilities not affecting the application code-base, including but not limited to:
- SMTP issues such as missing email DMARC or SPF
- Transport Security: TLS protocol vulnerabilities or configuration issues
Identity Management vulnerabilities that do not result in a true and complete Customer account hijack (takeover) of a secondary account, including, but not limited to:
- Missing rate limiting on password or credentials reset
- Session invalidation upon password and/or credentials resets
- Workflow issues surrounding updating or changing login ID/string (email)
- Session time-outs
- Password complexity issues
Bug vulnerability filing that are:
- Filed in duplicate bugs whose vulnerabilities are using a common service, or codebase, and where the fix is applied to only one service, or one common code base or library to remediate
- Filed in duplicate for the same service endpoint (HTTP-TLS + HTTP) URI paths to the SAME resource
- Filed without screenshots and videos for proof of concept, and/or without the artifacts and evidence