Security & Responsible Disclosure

Security

Security and privacy of our users is very important for us. We take utmost care to ensure that our systems are protected and our developers strive to write secure code. We understand that there is no silver bullet when it comes to security and there are times when security bugs sneak through despite our best efforts. We ensure that all security issues reported are reviewed and resolved promptly

Reporting a security issue

We would like to foster a culture of collaboration to achieve better security and make the internet a better place. If you believe that you have found a security issue that can adversely impact Zeta, please do contact our security team at security@zeta.in and send your submissions as an encrypted email using this PGP Key. A member of our security team will reach out to you and will work with you to validate, qualify and resolve the issue.

Our expectations from you:

  • A detailed description of the issue
  • Steps to reproduce the issue
  • You will follow responsible disclosure guidelines (see below)
  • Collaborative spirit
  • No malicious activities (**)

Our promise to you:

  • Prompt acknowledgement of the report (within 2 business days)
  • Transparency throughout the process
  • An environment conducive of collaboration
  • Adequate mitigation of the issue
  • Entry in the Zeta security hall-of-fame page for accepted reports

Responsible Disclosure

We at Zeta believe that with great knowledge comes great responsibility. We expect that you will give us reasonable lead time to respond to your report before making any information public and that you will make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services during your research. We will reciprocate the gesture by working with you to mitigate the issue to the satisfaction of both parties.

We would prefer that interested researchers coordinate their efforts with our security team, so that we can avoid any untoward incidents that could affect confidentiality, integrity or availability of Zeta’s systems.

Scope

Zeta Websites

Below domains are not in scope

Mobile Apps

Excluded Bug Submission

Following bug submissions are excluded because they are malicious and/or because they have low security impact to the program owner. This section contains issues that are not accepted under this program, will be immediately marked as invalid.

The following findings are specifically excluded and will be considered invalid:

  • Security issues in third-party apps or websites that integrate with Zeta
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP codes/pages or other HTTP non- codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF in forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Self-XSS
  • Username / email enumeration
    1. via Login Page error message
    2. via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    1. Strict-Transport-Security
    2. X-Frame-Options
    3. X-XSS-Protection
    4. X-Content-Type-Options
    5. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    6. Content-Security-Policy-Report-Only
  • SSL Issues, e.g.
    1. SSL Attacks such as BEAST, BREACH, Renegotiation attack
    2. SSL Forward secrecy not enabled
    3. SSL weak / insecure cipher suites

Out of Scope bugs for Android apps:

  • Shared links leaked through the system clipboard.
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on external storage
  • Lack of obfuscation is out of scope
  • OAuth & App secret hard-coded/recoverable in APK
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in android app
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Out of Scope bugs for iOS apps

  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Absence of certificate pinning
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • Lack of jailbreak detection is out of scope
  • OAuth & app secret hard-coded/recoverable in IPA
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

**Appendix: We classify malicious activities as follows

  • Any kind of DoS attack
  • Automated scanning
  • Deliberate attempts at harming Zeta’s systems
  • Introduction of backdoors/trojans/malware in Zeta’s systems
  • Attempts to breach confidential data
  • Publicly disclosing the vulnerability prior to our resolution.
  • Physical testing such as office access (e.g. open doors, tailgating).
  • Observations derived primarily from social engineering (e.g. phishing, vishing).
  • Any testing on any other application/systems not mentioned in ’Target’ scope.

Note: All attempts to cause harm to Zeta’s systems and data and that do not follow responsible disclosure will be pursued legally to the full extent permitted by law.