Security & Responsible Disclosure

Security

Security and privacy of our users is very important for us. We take utmost care to ensure that our systems are protected and our developers strive to write secure code. We understand that there is no silver bullet when it comes to security and there are times when security bugs sneak through despite our best efforts. We ensure that all security issues reported are reviewed and resolved promptly

Reporting a security issue

We would like to foster a culture of collaboration to achieve better security and make the internet a better place. If you believe that you have found a security issue that can adversely impact Zeta, please do contact our security team at [email protected] and send your submissions as an encrypted email using this PGP Key. A member of our security team will reach out to you and will work with you to validate, qualify and resolve the issue.

Our expectations from you:

A detailed description of the issue
Steps to reproduce the issue
You will follow responsible disclosure guidelines (see below)
Collaborative spirit
No malicious activities (**)

Our promise to you:

Prompt acknowledgement of the report (within 2 business days)
Transparency throughout the process
An environment conducive of collaboration
Adequate mitigation of the issue
Entry in the Zeta security hall-of-fame page for accepted reports

Responsible Disclosure

We at Zeta believe that with great knowledge comes great responsibility. We expect that you will give us reasonable lead time to respond to your report before making any information public and that you will make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services during your research. We will reciprocate the gesture by working with you to mitigate the issue to the satisfaction of both parties.

We would prefer that interested researchers coordinate their efforts with our security team, so that we can avoid any untoward incidents that could affect confidentiality, integrity or availability of Zeta’s systems.

Scope

Zeta Websites

Below domains are not in scope

Mobile Apps

Zeta - (Android, iOS)
Merchant App - Zeta (Android)

Excluded Bug Submission

Following bug submissions are excluded because they are malicious and/or because they have low security impact to the program owner. This section contains issues that are not accepted under this program, will be immediately marked as invalid.

The following findings are specifically excluded and will be considered invalid:

Security issues in third-party apps or websites that integrate with Zeta
Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP codes/pages or other HTTP non- codes/pages.
Fingerprinting / banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
CSRF in forms that are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
Lack of Security Speedbump when leaving the site.
Weak Captcha / Captcha Bypass
Login or Forgot Password page brute force and account lockout not enforced.
OPTIONS HTTP method enabled
HTTPS Mixed Content Scripts
Self-XSS
Username / email enumeration
1. via Login Page error message
2. via Forgot Password error message
Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
1. Strict-Transport-Security
2. X-Frame-Options
3. X-XSS-Protection
4. X-Content-Type-Options
5. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
6. Content-Security-Policy-Report-Only
SSL Issues, e.g.
1. SSL Attacks such as BEAST, BREACH, Renegotiation attack
2. SSL Forward secrecy not enabled
3. SSL weak / insecure cipher suites

Out of Scope bugs for Android apps:

Shared links leaked through the system clipboard.
Any URIs leaked because a malicious app has permission to view URIs opened
Absence of certificate pinning
Sensitive data in URLs/request bodies when protected by TLS
User data stored unencrypted on external storage
Lack of obfuscation is out of scope
OAuth & App secret hard-coded/recoverable in APK
Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
Any kind of sensitive data stored in app private directory
Lack of binary protection control in android app
Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Out of Scope bugs for iOS apps

Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
Absence of certificate pinning
Path disclosure in the binary
User data stored unencrypted on the file system
Lack of obfuscation is out of scope
Lack of jailbreak detection is out of scope
OAuth & app secret hard-coded/recoverable in IPA
Crashes due to malformed URL Schemes
Lack of binary protection (anti-debugging) controls
Snapshot/Pasteboard leakage
Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

**Appendix: We classify malicious activities as follows

Any kind of DoS attack
Automated scanning
Deliberate attempts at harming Zeta’s systems
Introduction of backdoors/trojans/malware in Zeta’s systems
Attempts to breach confidential data
Publicly disclosing the vulnerability prior to our resolution.
Physical testing such as office access (e.g. open doors, tailgating).
Observations derived primarily from social engineering (e.g. phishing, vishing).
Any testing on any other application/systems not mentioned in ’Target’ scope.

Note: All attempts to cause harm to Zeta’s systems and data and that do not follow responsible disclosure will be pursued legally to the full extent permitted by law.