This page is intended for security researchers. To find out more about Retail Zipline’s security, please visit our security information page.
If you believe you have found a security vulnerability on Retail Zipline, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.
Please submit your report on HackerOne and our security team will respond as soon as possible.
If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.
To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs.
Our minimum reward is $50 USD for minor issues, while we expect to reward $250+ USD for major vulnerabilities
There is no maximum reward: each bug is awarded a bounty based on its severity and creativity
Only 1 bounty per security bug will be awarded
To qualify for a bounty, you must:
Adhere to our Responsible Disclosure Policy (above)
Be the first person to responsibly disclose the bug
Report a bug that could compromise the integrity of Retail Zipline user data, circumvent the privacy protections of Retail Zipline user data, or enable access to a system within the Retail Zipline infrastructure, such as:
Our security team will assess each bug to determine if it qualifies.
The following bugs are not eligible for a bounty (and we do not recommend testing for these):