Last Updated: September 4, 2024
Return to the ZipperTax Website
Bug Bounty Program
Security is paramount for us at ZipperTax and will always remain our #1 priority. To that end, we welcome and appreciate the efforts of security researchers who helps us identify important security vulnerabilities that may otherwise impact the safety and privacy of American taxpayers.
<aside>
📢
To make a report, or if you have any questions, please reach out to [email protected]. We aim to respond to your inquiries within 24-48 hours. Typically, we pay a minimum bounty of $100 and a maximum bounty of $12,500 per eligible report to the first reporter of an issue.
</aside>
Ground Rules
- Follow HackerOne's disclosure guidelines.
- The reported vulnerability must not be directly related to issues typically identified by publicly-available vulnerability scanners.
- Do not disclose a vulnerability publicly without written permission from an executive at ZipperTax, even after a fix has been implemented. We will not withhold permission if the reason and scope of the public disclosure is reasonable.
- Please don’t affect other users on the platform (including the use of social engineering)! Only interact with accounts you create on the platform. You should also keep track of a list of accounts you create to submit with your report.
- If you come across information of real users (e.g., name, SSN, tax documents), please immediately redact/delete the information.
- For any requests to the platform (including API requests and page visits), please limit your speed to 5 requests or less per second. You may email us for approval of an increased limit if it is warranted.
Scope
- In scope
- Out of scope
- Related third-party sites not directly operated by ZipperTax (including Notion, used for security.zipper.tax, jobs.zipper.tax, terms.zipper.tax, etc.)
- Missing flags/attributes in cookies and headers (including content security policy), unless it causes a flagrant security concern and was not intentionally omitted (i.e. for functionality)
- Vulnerabilities only affecting outdated browsers (less than 2 stable versions behind the latest released stable version)
- Denial of service (DoS) and brute-force attacks (e.g., guessing passwords of users)
- Attacks requiring physical access to a user’s device
- CSRF attacks on forms with no sensitive operations (e.g., newsletter sign up form on zippertax.com)
What makes a good report?
We can only give you a bounty if you can give us good information we can act on! A good report should have these helpful pieces of information (inspiration from Google’s guide):
- An accurate & detailed description of the issue (a demo video would be awesome!)
- Steps to reliably reproduce the issue