We invite security researchers and ethical hackers to help identify vulnerabilities in our platform. Report responsibly, earn rewards, and help us build a safer digital environment.
At Zid, safeguarding our customers' data and maintaining the integrity of our platform are top priorities. To strengthen our security posture, we invite security researchers and ethical hackers to help us identify vulnerabilities through our Security Vulnerability Reward Program. This program rewards individuals who responsibly disclose security issues, ensuring a safer digital environment for everyone.
Help us defend the data and trust of thousands of merchants on our platform.
Discover and responsibly disclose security vulnerabilities to our team.
Receive fair rewards based on severity and the quality of your report.
To participate in the rewards program, you must meet the following criteria.
Be a security researcher or ethical hacker acting in good faith with a demonstrated history of ethical behavior, ensuring no harm has been caused to Zid platforms now or in the past.
Comply with all applicable laws and avoid violating the privacy or disrupting the experience of Zid users and data.
Not be employed by Zid or its affiliates.
We are looking for vulnerabilities across all public-facing Zid services.
Investigate Zid systems within the scope outlined above. Focus on areas that could have meaningful security impact.
Submit your findings to our security team at cyber.incidents@zid.sa. Include:
The level of detail in your report determines ease of fixing and is factored into the reward. Vague reports may not qualify.
Our team will acknowledge your submission within 72 working hours and provide updates on the status. Resolutions are targeted within 30 business days, depending on complexity.
Once the vulnerability is validated and resolved, you will receive a reward based on severity and report quality.
We value the time and effort of security researchers. Rewards are determined based on the CVSS score and the quality of the report. Bonuses may be added for comprehensive details or remediation suggestions.
Remote Code Execution, Authentication Bypass, and similar critical impact vulnerabilities.
SQL Injection, Privilege Escalation, and similar high impact vulnerabilities.
Sensitive Data Exposure and similar medium impact vulnerabilities.
Low impact vulnerabilities with limited security implications.
Bonus Rewards: Additional bonuses are given for the quality of the report and the ease with which our team can fix the issue based on the information provided.
To qualify for a bounty, researchers must follow these guidelines.
Avoid disrupting Zid operations or accessing unauthorized data.
Refrain from publicly disclosing vulnerabilities before the issue is resolved.
Follow ethical hacking principles throughout the investigation.
Ensure all findings are not exploited and no harm is done to any Zid systems.
Provide at least 90 days notice before considering any public disclosure.
Do not access data beyond what is required to demonstrate the vulnerability.
No bounty will be paid for the following.
Vulnerabilities already reported or known to Zid.
Findings that do not represent a valid security vulnerability, such as general best practice recommendations or false positives.
General concepts and unclear reports that do not allow the team to fix the reported vulnerabilities.
Incomplete reports may result in delayed triage or ineligibility for rewards.
Send your findings to our security team. We'll respond within 72 working hours.
cyber.incidents@zid.sa