WinZO Bug Bounty Program

WinZO believes in ensuring a secure and transparent platform experience for everyone involved. With this in mind, we want to work with security researchers to foster an environment of continuous security enhancements and mitigate and help disclose potential security vulnerabilities.

Reporting Guidelines

• The vulnerability highlighted by you must be original, and should not be something that is publicly disclosed already or previously reported to WinZO.
• The report should be based on vulnerabilities identified on the latest version of WinZO publicly available to the user.

Eligibility Criteria for Reporters

• You are above 18 years of age and if currently a minor, you’ve your parents’/guardians’ permission to report vulnerabilities.
• You’ve not been an employee of WinZO nor have been associated with any subsidiary of WinZO in the last 1 year.
• You’re not a family member/relative of any individual who has been an employee of WinZO or associated with any subsidiary of WinZO in the last 1 year.
• You’re not having any background of illegal activities under the local laws of your region and country.
• You’re submitting the report under your own capacity; if it is on the behalf of your employer or someone else, you should have their written approval to go ahead and use their name while submitting the vulnerability report.

Scope of Possible Vulnerabilities

• Signup flow & login authentication in the app
• Score submission and result calculation across games on the platform
• Payment flows
• Exploitation through rooted devices

What’s Not Allowed?

• You should not be interfering with any other user’s data on the platform to expose the said vulnerability.
• You should not be coordinating phishing or social engineering attacks on the platform while trying to expose the vulnerabilities.
• There should not be any scripts or automated tools used to identify vulnerabilities that result in negatively impacting the performance of the WinZO platform.

Format of Submissions (Scope of Eligible Reports)

• The report submitted should clearly document the vulnerability identified.
• It should list the feature and version of the app used to identify this issue.
• It should outline the steps required to reach the vulnerable state.
• It should document the impact of vulnerability being exposed and the likelihood of a successful exploit.
• It should have the proof of concept (POC) code/video to enable the internal team to reproduce the existence and scope of the vulnerability identified.
• The report can have potential security fixes around the vulnerability to qualify for greater awards.

Ineligible Reports

• The reports should not highlight vulnerabilities that are out of scope of the Bug Bounty program.
• The version used should not be an older one than available publicly to the user or a pre-release version (Beta).
• The exposed vulnerability is something already known to WinZO. However if you’re the first one to highlight it to us, you may still be eligible for the bounty at the discretion of WinZO.

Disclosure Agreement

• By participating in the program and reporting vulnerabilities, you agree that you’ve not and will not disclose this information to anyone else.
• You must provide the team with ample time to verify and address the reported vulnerabilities.

T&Cs

• You must comply with all the laws of the platform as well as local laws of the country or region you reside in.
• Any conduct of the security researcher that at any time appears to be unlawful, violates the rules applicable may lead to disqualification of the submission and/or any possible bounty earned.
• By submitting your report to WinZO, you’re agreeing to its use in checking for vulnerabilities exposed and subsequent security measures, as well as; any further external publishing and/or internal use of the same by WinZO.
• By participating in the program, you’re acknowledging the fact that WinZO won’t have any responsibility of any kind towards any damage caused by virtue of participating in this program directly or indirectly.

Bounty Structure

• The bugs reported will be analyzed by the WinZO team and if they qualify under the conditions of the program, their severity will be identified through internal measures.
• The awards to be given, if any, will be at the sole discretion of WinZO.
• Awards will be provided by WinZO only on successful first reporting of a potential root-cause vulnerability exposed.
• Awards may change with time and don’t necessarily depend on past instances of such award disbursements.

Awards May be Greater:-

• In case of higher security impact of the vulnerability observed.
• In case potential security fixes are provided along with the vulnerability exposed.
• In case of a properly documented report with proof of concept (POC) and other requirements outlined in the eligible reports criteria.

Communication Schedule

• The internal security team after receiving the vulnerability report will contact you in acknowledgement of the same.
• The team then works on the said vulnerability, checking if it’s a new vulnerability we’ve observed or received, checking its scope and further working to strengthen the security measures around it.
• The reporter can expect to receive timely communications at a frequency depending on the scope of the vulnerability observed.
• The awards will be disbursed at the discretion of WinZO according to the factors defined in the bounty structure and depending upon documentation of the report, among other things.

Submission Link

You can submit your findings in the following link