Bug Bounty Program.

Before submitting a claim, please read some of the guidelines and scope of the program.

If you have other issues with your account, please use the links or contacts below for help.

Account was compromised or help with accounts: https://help.zoominfo.com/ or helpmenow@zoominfo.com or contact your account rep directly

Accessing another person’s account while logged into your account violates a number of laws and can be seen as a breach of your contract.

Bug Bounty Scope

Included applications in the ZoomInfo suite of products and services:

• app.zoominfo.com
• ce.zoominfo.com
• engage-app.zoominfo.com
• go.zoominfo.com
• go.discoverydb.com
• app.neverbounce.com
• mobile-app.zoominfo.com
• api.tellwise.com
• chorus.ai
• payments.zoominfo.com

Vulnerabilities in third-party libraries that integrate with ZoomInfo are within scope only where the vulnerability must have some potential impact on ZoomInfo user data or systems (e.g. access token disclosure).

Vulnerabilities identified by another person or by an organization will not be eligible for the Bug Bounty program.

Qualifying Vulnerabilities

Any issue that affects the integrity or confidentiality of user data, would likely be considered in scope. Some examples include:

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Mixed-content scripts
• Authentication or authorization flaws
• Server-side code execution bugs

Out-of-scope activities:

Any of the following (or related) activities, will be automatically considered out of scope for the bug bounty program:

• Dangling DNS records related issues
• Banner or version disclosure of servers/softwares
• Use of outdated/vulnerable softwares/components versions (without evidence of the exploitation)
• Default configuration files which do not disclose sensitive information
• Descriptive error messages and debugging information (stack traces, path disclosure, etc.)
• HTTP Security headers related issues (including X-Frame-Options and Clickjacking, content-security-policy, x-xss-protection, etc.)
• Lack of Secure and HttpOnly flags on non-sensitive cookies.
• Enabled OPTIONS/TRACE HTTP methods
• Content injection or “HTML injection” unless you can clearly show risk
• Self Cross-Site Scripting (aka Self XSS)
• Cross-Site Request Forgery (CSRF) for non-sensitive or significant actions (logout, etc.)
• Cross-Site Request Forgery (CSRF) on features which available to anonymous users
• Lack of brute force protection on login pages and forms
• Missing (or bypass) of rate limit mechanisms
• Account lockout enforcement
• Users enumeration via error messages of failed login attempts
• Failure to invalidate session on 2FA implementation or on password change
• Lifetime duration or invalidation of “sign-up” or “reset password” tokens
• User session duration or invalidation
• Spam or social engineering (phishing) attacks
• Exploits that require (or partly require) physicals access to the target external device/account or unlikely user interaction
• SMTP Policy related issues (including SPF, DKIM and DMARC)
• Theoretical subdomains takeovers claims with no supporting evidence
• Email/SMS flooding attacks
• Denial-of-service (DoS) attacks
• Distributed DoS (DDoS)
• Other third-party apps or websites that integrate with ZoomInfo that are not relevant to our component integration
• Outdated and non-supported mobile applications
• Weak TLS version and insecure SSL/TLS ciphers
• Certificates related issues
• Bugs which do not affect and exploitable on the latest version of modern browsers
• Reports lacking evidence of the exploitability (PoC which actual demonstrate the compromise is required)
• Bugs Zoominfo already aware of (or previously submitted by another researcher)

False Positives:

Reported findings missing part or all the proof of potential exploit, or whether the finding cannot be reproduced, will be considered as a false positive.

Bug Bounty Reporting

Reporting your findings and how you found the bug/vulnerability must be noted down:

• What you have found in detail so we can investigate your claim thoroughly
• Steps and what you saw
• What you are able to see or do
• Can see or extract data which is not yours
• Connect as another user
• Connect to systems that are not included in the direct use of the service
• Anything else you think is needed in evaluating your claim.

Bug Bounty Rules of Engagement

We appreciate the value a Security Analyst brings as an independent, spending time testing systems to help companies like ZoomInfo improve their security posture.  Rules of engagement include the following but are not limited these:

• You do not exploit a security issue you discover for any reason other than to validate your finding.
• You only use an account you are assigned and not one that is not yours.
• You are able to demonstrate the vulnerability found is yours and no other third party identified it.
• You are not paid for testing our products and services.
• You provide us sufficient time to investigate and mitigate the vulnerability.
• You do not post the vulnerability for others to take advantage of it prior to us closing it.
• Report a security bug that identifies a vulnerability in our services or infrastructure which creates a security or privacy risk.
• Report a security bug that no other person or companies has already issued before you.
• Report your finding without undue delay.
• Your vulnerability can be verified by our team to be an actual valid bug/vulnerability that can be exploited.
• Meet all the criteria as outlined in this bug bounty program. We reserve the right to report this event and activity as we see fit.
• We may retain any communications about security issues you report for as long as we deem necessary for program purposes.
• Changes, adjustments, outsourcing or cancellation may be made at any time without notice.
• All bounty awards are permitted by applicable laws, including (but not limited to) US trade sanctions and economic restrictions.

Payments

Whether we will pay any award in response to a report of a vulnerability affecting our products and services is completely under ZoomInfo management discretion. Factors that will influence our award decision include but are not limited to:

• Our ability to verify the vulnerability and ensure that it is remediated, the extent of the potential impact the vulnerability could have on ZoomInfo user data or systems if not closed.
• Bounties are completely under ZoomInfo management discretion are based on risk, impact, and a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of your findings.

Note that extremely low-risk issues may not qualify for a bounty at all unless your finding leads us to discover higher-risk vulnerabilities, we may, at our sole discretion, pay an increased award. A payment will require you to provide the following detail:

• Full Name
• ID Number
• Country of residence
• Tax number if available
• Phone number
• Address

Payments will be made using Amazon Gift cards.

Disclaimer:

The following criteria must be met in order to participate in the ZoomInfo Bug Bounty Program.

• You are not a resident of a U.S. Government embargoed country.
• You are not on a U.S. Government list of sanctioned individuals.
• You are 18 years or older.
• You are not currently nor have been an employee of ZoomInfo Corporation or subsidiary.
• You are reporting as an individual and not part of a company.
• You or any member of your family is not under any contracting agreement with ZoomInfo or a subsidiary and has not been for the past 6 months.
• You did not and will not access any personal information that is not your own, including exploiting the vulnerability.
• You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information.
• Your country of residence may have Local laws adding restrictions on your eligibility to participate in the bug bounty.
• You provide the necessary payment and identity information to enable us to validate the above information.