Zynga Whitehat

  • Points per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

76 vulnerabilities rewarded

Validation within 6 days
75% of submissions are accepted or rejected within 6 days

Latest hall of famers

Recently joined this program

385 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Zynga Inc. is an American social game developer running social video game services.

Zynga invites you to test and help secure our publicly accessible web presence and games. We're highly interested in knowing about any vulnerabilities that may extend to any web-based property we own/control (online games, etc). We appreciate your efforts and hard work in making the internet more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.


In scope

Target name Type
*.zynga.com Website
*.zyngagames.com Website
Zynga branded games - ioS iOS
Zynga branded games - Android Android
Zynga branded games - Windows Other

Any domain/property of Zynga not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.

Target info:


Researchers are free to self provision or utilize any existing accounts they own - DO NOT test against any accounts you do not expressly own. If/when registering for testing purposes, please do so using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

Testing Notes:

  • When testing or submitting against any forms that may go to a person on the other end (e.g. contact, support, etc), please be sure to include "Bugcrowd Testing -- Disregard" with your payloads.
  • When testing against any forms that may result in publicly facing content (e.g. "as a question" - please delete your post immediately after you've reviewed the outcome of your attempted attack). e.g. on community pages, etc
  • Note that you're free to self-provision any accounts that you're able to (e.g. community, etc).

No pre-provisioned accounts will be provided for this program.

  • Valid and accepted submissions are eligible for our Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

Out of Scope:

  • Facebook, Wordpress or other 3rd party websites or 3rd party website games are not in scope
  • Missing DMARC
  • Missing SPF Record
  • Missing Rate Limiting Password Reset
  • Failure to Invalidate Session On Password Reset and/or Change

Program rules

This program follows Bugcrowd’s standard disclosure terms.