ZOL Zimbabwe Vulnerability Reward Program (VRP) Rules

ZOL Zimbabwe’s Vulnerability Reward Program was created to show our appreciation to those external contributors that help keep our users safe.


Scope

In principle, any ZOL-owned web service that handles reasonably sensitive user data is intended to be in scope. This includes most of the content in the following domains:

  • *.zol.co.zw
  • *.zolgeeks.co.zw
  • *.myzol.co.zw
  • *.zolspot.co.zw
  • *.zolphone.co.zw

Bugs in ZOL-developed apps as well as some of our network configurations will also qualify.

Third-party websites, applications and networks are exempt from this program. Some ZOL-branded services may be hosted and operated by our vendors or partners. We cannot authorize you to test these systems on behalf of their owners and will not reward such reports. Please examine domain and IP WHOIS records and contact us first if in doubt.


Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Cross-site scripting
  • Cross-site request forgery

The following table may be used as a guideline:

Category Examples
Remote code execution Command injection, deserialization bugs
Unrestricted file system or database access SQL injection
Logic flaw bugs leaking or bypassing significant security controls Direct object reference, remote user impersonation
Execute code on the client Web Cross-site scripting
Mobile / Hardware Code execution
Other valid security vulnerabilities Web CSRF, Clickjacking
Mobile / Hardware: Information leak, privilege escalation, network vulnerabilities


Note that the scope of the program is limited to technical vulnerabilities in ZOL-owned mobile/web applications and networks ; please do not try to sneak into our offices, attempt phishing attacks against our employees, and related acts.

Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, or do other similarly questionable things. We also strongly discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.


Non-qualifying vulnerabilities

All reports are reviewed on a case by case basis. Depending on their impact, some of the reported issues may not qualify. Here are some examples:

  • Cross-site scripting vulnerabilities in “sandbox” domains - Unless an impact on sensitive user data can be demonstrated within a sandbox environment, we do not, for example, consider the ability to execute JavaScript in that environment to be a bug.
  • Bugs requiring extremely unlikely user interaction -For example, a cross-site scripting flaw that requires the victim to manually type in an XSS payload into a Fibroniks coverage Map and then double-click on a contact-us link will not likely qualify.
  • Logout cross-site request forgery - the design of HTTP cookies means that no single website can prevent its users from being effectively logged out; consequently, application-specific ways of achieving this goal will likely not qualify.
  • Presence of version information -Version information does not, in itself, expose a service to attacks and is therefore not considered a bug. However, if you find outdated software and have good reasons to suspect that it poses a well-defined security risk, please let us know.


Rewards

The final amount is always chosen at the discretion of the ZOL Zimbabwe Reward Panel. The considerations shall include but will not be limited to the following:

  • higher rewards for unusually clever or severe vulnerabilities
  • lower rewards for vulnerabilities that require unusual user interaction
  • a single report actually constitutes multiple bugs
  • multiple reports are so closely related that they only warrant a single reward

As some of you are not interested in money, we offer the option to donate your reward to an established charity of your choice. If you do so, we will double your donation - subject to our discretion. Any unclaimed rewards will be donated to a charity of our choosing after 12 months.


Investigating and reporting bugs

If you have found a vulnerability, please contact us at vulnerabilities@zol.co.zw . If necessary, we’ll provide PGP key upon request.

When investigating a vulnerability, please do not target anyone else’s data, or services. Only ever target your own accounts or services and do not engage in any activity that could be disruptive or damaging to ZOL or our customers.

  • We are unable to issue rewards to individuals specified under the provisions of any law in Zimbabwe, individuals who are on sanctions lists, or who are outside Zimbabwe. Rewards will only be paid on condition that you do not disclose the vulnerabilities to any person or institution other than ZOL.
  • Rewards shall only be paid to individuals who sign a Confidentiality Agreement with ZOL Zimbabwe.
  • All payment of rewards assessed by the ZOL Zimbabwe Rewards Panel shall be full and final rewards for the reported issue(s).
  • You are responsible for any tax implications as prescribed by the laws of Zimbabwe.
  • This is not a competition, but rather an experimental and discretionary rewards program.
    You should stand advised and understand that we can cancel the program at any time in our discretion and the decision as to whether or not to pay a reward will be entirely at our discretion.
  • Your testing must not violate any law, or disrupt or compromise any data that is not your own.
  • ZOL Zimbabwe will not absolve you of liability for breaching any laws of Zimbabwe for any reason whether or not it is directly related to this Vulnerability Rewards Program.
  • This Vulnerability and Rewards Program shall be governed by the laws of Zimbabwe.