Zynga Inc. is an American social game developer running social video game services.
Zynga invites you to test and help secure our publicly accessible web presence and games. We're highly interested in knowing about any vulnerabilities that may extend to any web-based property we own/control (online games, etc). We appreciate your efforts and hard work in making the internet more secure and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Any game or FQDN domain/property of Zynga not listed in the targets section is out of scope. This includes any/all subdomains not listed above. Non-Zynga managed services (Third-Party) services integrated with, or used by Zynga games on non-Zynga FQDN DNS domains are out of scope. If you believe you've identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
Zynga Services Info:
- FQDN zynga.com is the main site for all Zynga games services
- FQDN zyngapoker.com are secondary DNS domains hosting a subset of Zynga games services (Poker)
- All Zynga Android, iOS and Windows games are in scope:
- iOS games at https://itunes.apple.com/us/developer/zynga-inc/id295913422
- Android games at https://play.google.com/store/apps/dev?id=6690081412016968981
Researchers are free to self-provision or utilize any existing accounts they own - DO NOT test against any accounts you do not expressly own. If/when registering for testing purposes, please do so using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.
- When testing or submitting against any forms that may go to a person on the other end (e.g. contact, support, etc), please be sure to include "Bugcrowd Testing -- Disregard" with your payloads.
- When testing against any forms that may result in publicly facing content (e.g. "as a question" - please delete your post immediately after you've reviewed the outcome of your attempted attack). e.g. on community pages, etc
- Note that you're free to self-provision any accounts that you're able to (e.g. community, etc).
No pre-provisioned accounts will be provided for this program.
Out of Scope:
Non-Zynga managed services (Third-Party) services integrated with, or used by Zynga games on non-Zynga FQDN DNS domains
API vulnerabilities in the following areas:
- Information disclosure of non-PI/PII routine account data used for multiplayer communication
- Claims that API keys are hardcoded in mobile apps image, but without any proof of exploit and explicit use for complete end-to-end API authentication handshake to Zynga production services.
- Bugs filed against APIs and endpoints that the game does not use in the normal course of end-user operation and usage.
Infrastructure-only vulnerabilities not affecting the application code-base, including but not limited to:
- SMTP issues such as missing email DMARC or SPF
- Transport Security: TLS protocol vulnerabilities or configuration issues
Identity Management vulnerabilities that do not result in a true and complete Customer account hijack (takeover) of a secondary account, including, but not limited to:
- Missing rate limiting on password or credentials reset
- Session invalidation upon password and/or credentials resets
- Workflow issues surrounding updating or changing login ID/string (email)
- Session time-outs
- Password complexity issues
Bug vulnerability filing that are:
- Filed in duplicate bugs whose vulnerabilities are using a common service, or codebase, and where the fix is applied to only one service, or one common code base or library to remediate
- Filed in duplicate for the same service endpoint (HTTP-TLS + HTTP) URI paths to the SAME resource
- Filed without screenshots and videos for proof of concept, and/or without the artifacts and evidence
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via email@example.com before going any further.