I found a vulnerability in the Zerocopter site, where do I report this?
At Zerocopter the security of our systems is top priority. No matter how much effort we put into system security, there might be vulnerabilities present. If you discover a vulnerability, we would like to know about it so we can take steps to address it. We would like to ask you to help us protect our clients and our systems.
Read more about our responsible disclosure policy and submit your finding here.
What is responsible disclosure?
In the Responsible Disclosure policy you ask when someone discovers a vulnerability in your online environment to report it as soon as possible so you can address it quickly. This policy is visible to all of your users by for example mentioning it on your homepage. Vulnerabilities discovered by users are compiled by Zerocopter and reported to you in an easy to understand overview of the problem. With the extra option of the Responsible Disclosure with Triage all reports are reviewed by our Triage Team of security experts, so you and your team only deal with validated reports of relevant vulnerabilities. The reports are presented in your own dashboard, you and your team will receive an email if a report has been added or edited.
What is a researcher program?
With a researcher program we offer the possibility to have a selected group of the best ethical hackers search for unknown vulnerabilities on your website. All researchers in our platform are screened and tested, so we can be sure we only work with the best and the most reliable researchers in the world. All reported issues are reviewed and validated by the Zerocopter’s Triage Team before publishing it to the dashboard. The researchers will be rewarded on a no-cure-no-pay basis, per approved vulnerability.
Where do the researchers come from?
The researchers are from all over the world besides countries that are on the U.S. sanctions list.
How do you screen researchers?
For our researcher programs we work with a carefully selected group of security experts worldwide.
The assessment of these experts is our top priority and we take the following steps to which we are authorized:
- Review/check personal information through an ID verification check
- Review ethical hackers track record through an internet background check
- The selection is done by our own security experts. When irregularities occur we are authorized to exclude a researcher from the community.
- We agree with the Researcher that he has to respect the client‘s briefing
- We agree with the Researcher that he has to respect the scope formulated by the client
- Both clients and Zerocopter are authorized to address any irregularities to researchers
The researchers have declared in the agreement between us and them to keep all information provided in relation to the Services strictly confidential. All terms and conditions stated are applicable to researchers.
What does the scanner do?
The scanner finds known vulnerabilities in your site. Our scanner is a combination of the best vulnerabilities scanners available on the market. For example, Nessus is implemented in our scanner and we are working to implement more scanners for every aspect of your organisation.
Read more about how it works here.
How do I become a researcher?
There are two ways to become a researcher at Zerocopter. We personally invite researchers or you can apply to become one here.
The option to apply as a researcher at Zerocopter is currently closed due to a high number of recent applications. Please check back later.
What are the rewards?
We have a static reward table. When you report a vulnerability you can already see what the reward will be for that specific vulnerability.
How does the triage process work?
When you submit a report to a program in Zerocopter one of our Triage Team members will determine if the vulnerability is applicable to the given category, if it's in-scope of the program and if the report is complete. Our Triage Team does not validate if the vulnerability actually works but only is the content of the report is reasonable.
Am I allowed to blog/write/share information about vulnerabilities?
No, you're not allowed to share information about vulnerabilities. To share information about a vulnerability the program owner needs to give explicit permission.
How long do payments take?
When a vulnerability is marked as "resolved" and you are the first to report the issue, Zerocopter will do everything to transfer the payment within a week.
How do I receive my reward?
Payments are distributed via PayPal and Bitcoin. To receive payments, make sure that you have a valid PayPal account or Bitcoin address. You can enter you billing information at the settings page in the Zerocopter app.
When will my researcher request will be accepted?
We're letting people in gradually, you'll get an email when you are accepted. Keep in mind the waiting list is very long so it can take a while before we consider you as a researcher.