Asset: Reporting Security Vulnerabilities for Zipline

Webpage | April 15, 2021

Reporting Security Vulnerabilities for Zipline
See the asset Share the page
  • webpage
Add a tag
Social Media

Download Image


Reporting Security Vulnerabilities for Zipline

Guidelines for Security Researchers

Last updated Jul 03, 2017

This page is intended for security researchers. To find out more about Retail Zipline’s security, please visit our security information page.

If you believe you have found a security vulnerability on Retail Zipline, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

Please submit your report on HackerOne and our security team will respond as soon as possible.

Responsible Disclosure Policy

If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs.

Bug Bounty Rewards

Our minimum reward is $50 USD for minor issues, while we expect to reward $250+ USD for major vulnerabilities

There is no maximum reward: each bug is awarded a bounty based on its severity and creativity

Only 1 bounty per security bug will be awarded

Bug Bounty Eligibility

To qualify for a bounty, you must:

Adhere to our Responsible Disclosure Policy (above)

Be the first person to responsibly disclose the bug

Report a bug that could compromise the integrity of Retail Zipline user data, circumvent the privacy protections of Retail Zipline user data, or enable access to a system within the Retail Zipline infrastructure, such as:

Cross-Site Scripting (XSS)

Cross-Site Request Forgery (CSRF/XSRF)

Broken Authentication (including Retail Zipline OAuth bugs)

Remote Code Execution

Privilege Escalation

Provisioning Errors

Please only test with your own organization when investigating bugs. Automated testing is not permitted.

Do not interact with other accounts without the consent of their owners.

Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

Our security team will assess each bug to determine if it qualifies.


The following bugs are not eligible for a bounty (and we do not recommend testing for these):

Security bugs in third-party applications built on the Retail Zipline API

Security bugs in third-party services that integrate with Retail Zipline

Denial of Service Vulnerabilities

Spam or Social Engineering techniques

Issues with systems we have no control over, such as Heroku or Webflow

Fill out the form to generate your link

What is a UTM and what does this form do?

A UTM is a set of parameters added to a link that tells Google Analytics how that visitor got to our site. And this form helps you make one!

Don't forget, whatever you fill in here will be seen by whoever you share the link with, so be sure not put anything in here that wouldn't necessarily be obvious or worse, could be insulting; ex. don't make the 'campaign' tier-3-prospects.

Please be sure to use all lower case, and dashes-instead-of-spaces.

If there is a gated version (behind a form fill), you will be able to select the gated or ungated (direct to the content) link.

Most common Zipline sources are:

  • linkedin
  • salesloft
  • paid
  • sales
  • qr-code
  • newsletter

The 'Source' is where the traffic is coming from, or the referrer.

Most common Zipline medium are:

  • social
  • email
  • banner
  • sem
  • event

Medium describe 'how' the traffic is coming to the site. So for example, clicks from LinkedIn or Twitter are coming through social media, so we simply call it 'social'. Another example is for email newsletter or direct sales email, the medium would be 'email'.

Current campaigns include:

  • zipline360
  • retail-talent
  • nrf
  • abm
  • holiday-comms

The campaign is an internal description of whichever campaign the link is a part of. Are you promoting an event like NRF? use 'nrf'. Maybe it's part of a new marketing campaign, then use the name of that campaign!

Term is optional, but can be used if there is a keyword associated with where you're sharing the link. This parameter is generally used to identify the search term used to find a paid ad for example.

Content is a good parameter to use when you are sharing multiple links from the same source/medium. If you have the same link in two different LinkedIn posts, you could use 'content' to differentiate based on the thumbnail used, or time of day. For example, 'Content' could be 'wed-afternoon' and 'thurs-morning' to describe when it was posted, or 'platform-thumbnail' or 'man-holding-clipboard' to describe the image associated with the link.

Your UTM link will display here after filling out the form

Here is some more related content: