WinZO is committed to providing a safe and transparent platform for all users. We are eager to collaborate with security experts to promote ongoing security improvements and address any potential vulnerabilities that may arise.
Reporting Guidelines
The vulnerability brought to our attention must be unique and not already publicly disclosed or previously reported to WinZO.
The report should be based on vulnerabilities found in the most recent version of WinZO that is available to the general public.
Eligibility Criteria for Reporters
- You are above 18 years of age and if currently a minor, you’ve your parents’/guardians’ permission to report vulnerabilities.
- You’ve not been an employee of WinZO nor have been associated with any subsidiary of WinZO in the last 1 year.
- You’re not a family member/relative of any individual who has been an employee of WinZO or associated with any subsidiary of WinZO in the last 1 year.
- You’re not having any background of illegal activities under the local laws of your region and country.
- You’re submitting the report under your own capacity; if it is on the behalf of your employer or someone else, you should have their written approval to go ahead and use their name while submitting the vulnerability report.
Possible Vulnerabilities Scope
- Registration process and authentication for logging into the application
- Recording and calculating scores for various games on the platform
- Payment procedures and transactions
- Potential exploitation through rooted devices.
Prohibited Actions
- It is forbidden to tamper with another user’s data on the platform in order to expose vulnerabilities.
- Engaging in phishing or social engineering attacks on the platform while attempting to reveal vulnerabilities is strictly prohibited.
- The use of scripts or automated tools to identify vulnerabilities that may negatively impact the performance of the WinZO platform is not allowed.
Submission Guidelines (Scope of Eligible Reports)
- The submitted report must clearly detail the identified vulnerability.
It should specify the feature and version of the app used to discover the issue. - The steps necessary to reach the vulnerable state should be outlined.
- The report should describe the impact of the exposed vulnerability and the likelihood of a successful exploit.
- Including proof of concept (POC) code/video is essential to help the internal team reproduce the identified vulnerability.
Reports that Do Not Qualify
- Reports should not focus on vulnerabilities outside the Bug Bounty program’s scope.
- The version used must not be older than what is publicly available to users or a pre-release version (Beta).
- If the vulnerability is already known to WinZO but you are the first to report it, you may still be eligible for a bounty at WinZO’s discretion.
Confidentiality Agreement
- By participating in the program and reporting vulnerabilities, you agree not to disclose this information to anyone else.
- Allow the team sufficient time to verify and address the reported vulnerabilities.
Terms and Conditions
- Compliance with all platform rules and local laws is mandatory.
- Any actions by the security researcher that are deemed unlawful or violate applicable rules may result in disqualification and forfeiture of any potential bounty earned.
- By submitting a report, you agree to these terms and conditions.
Winzo App : View Here