This Code of Conduct outlines the behaviors required of all Zerocopter network that have an account in the Zerocopter marketplace, as well as other initiatives and events that Zerocopter may offer.
This Code of Conduct applies to all interactions you have with the Zerocopter employees, users, organizations and hackers and will help ensure we maintain a safe and welcoming place for all.
Zerocopter is the security marketplace where hackers and organizations come together. Transparency and collective effort are part of our values, and we expect everyone to act professionally.
All communication should be appropriate for a professional audience. Be kind to others. Behave professionally. Harassment and sexist, racist, or exclusionary jokes are not appropriate.
Any type of discrimination, racism, sexism, harassment and bullying towards our network or employees will not go without consequences. The same applies to extortion and blackmail attempts. Impersonating and social engineering users, hackers, programs or Zerocopter employees without explicit permission is not allowed.
We believe in open communication at all levels. In order to ensure that this is done in a professional manner, we ask you to only communicate with each other via the comments in the Zerocopter marketplace. Unless otherwise stated in a program’s briefing, or you have exchanged contact details via the marketplace and have explicit permission to contact someone outside of the marketplace.
Be prompt in reporting vulnerabilities you have identified. But refrain from submitting placeholder reports and take the time to verify your work before submitting it.
All valid findings must be submitted with a full description, proof of concept, and complete reproduction steps in the original report. Findings without a description, proof of concept, and reproduction steps will be closed, and must be re-submitted with the required information to be considered for the program.
Read and abide by Zerocopter’s terms & conditions for hackers and each program’s Briefing or Coordinated Vulnerability Disclosure statement. We expect you to follow all guidelines and rules that a program or organization has outlined regarding scope of testing and disclosure.
Don’t share confidential vulnerability or user information. Bug bounty programs are private, and no submitted vulnerability (including duplicates, Out of Scope, Not Applicable, etc.) may be disclosed without explicit permission. Please read each Bug Bounty Briefing for specific program disclosure policies, which overrule this policy. We expect everyone to use the proper channels to disclose or communicate about vulnerability submissions. If you have any questions about disclosure, please email Zerocopter Support.
Do not spam programs with low quality findings or findings you do not understand. This creates noise and distracts triage and organizations from the actual vulnerabilities they should be focusing on.
Don’t do more than what is necessary to demonstrate the vulnerability. Limit the amount of data you access. Cease testing if you encounter user data, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information and submit a report.
Never attempt to degrade services and always keep in mind the proportionality of your attack.
Do not make use of attacks on physical security, social engineering or hacking tools, such as vulnerability scanners.
We do not tolerate the use of illegal, pirated or cracked software. We expect members of our network to act ethically as hackers and to refrain from using illegal, pirated or cracked software.
Failure to comply with the Code of Conduct and terms & conditions will result in warnings and sanctions. Sanctions may also be imposed for behavior that occurs outside the marketplace (e.g. sexist comments towards anyone from the Zerocopter network on social media), or on other platforms.
| Behavior | Definitions and examples | Sanction |
|---|---|---|
| Disruptive behavior | Spamming programs with low quality findings or findings you do not understandSpamming for updatesSubmitting a high amount of support ticketsTesting which causes a disruption for the program (e.g. submitting support tickets by automated means on one of the targets of the program, disrupting customer service of the organization)Tampering with test environments or accounts to exclude other hackers | Warning |
| Unprofessional behavior | Using unprofessional language or being disrespectful towards anyone from our networkLeaving rude comments | Warning |
| Communication outside of the Zerocopter marketplace | Directly contacting one of the community members outside of the platform without permissionAsking for updates on reports via DM on social mediaAsking for updates on reports via email or ticket systems of an user or organization | Warning |
| Service degradation | Never attempt to degrade services, always keep in mind the proportionality of your attack. | Program ban |
| Out of scope testing | Testing outside of the scope of the programSubmitting reports that are out of scope repeatedly*Not following the Bug Bounty briefing | Program ban |
| Disclosure of bug bounty program information | Bug Bounty programs from customers are private may not be disclosed without explicit permission. | Suspension |
| Disclosure of report information without permission | No submitted vulnerability (including duplicates, Out of Scope, Not Applicable, etc.) may be disclosed without explicit permission. | Suspension |
| Abusive behavior | Any type of violence, discrimination, racism, sexism, harassment and bullying towards our users, hackers or employees will not go without consequences.Aggressive and/or extreme behavior:Abusive or threatening languageBeing violent or aggressiveInappropriate physical contact (at any Zerocopter or industry events), and/or unwelcome sexual attentionHarassment:Offensive content related to, for example, gender, sexual orientation, religion, race, disability, etc.Intimidation, stalking following or seeking uninvited personal contact with Zerocopter employees, users or hackers via personal communication channels, harassing materials, photography or recordingUnjustified accusations against Zerocopter employees, hackers or usersPersonal attacks | Platform ban |
| Impersonating and social engineering | Impersonating and social engineering, programs or Zerocopter employees without explicit permission is not allowed. | Platform ban |
| Extortion and blackmail | Threats and attempts to obtain money by coercion are not allowedAsking for a bounty before disclosing the vulnerability to the triage team and the customer, making them unable to evaluate the vulnerability and assess the impact | Platform ban |
*High or Critical vulnerabilities that are out of scope of the Bug Bounty program briefing but should be brought to the attention of the customer may be exempted, you will not receive a warning. Zerocopter’s triage team will evaluate the report and after validating it send it to the customer to evaluate the report. The customer can decline the report.
You will receive a message from Zerocopter outlining which behavior the warning is about and what will happen if they have another incident.
You will receive a message from Zerocopter outlining which behavior caused the program ban and what will happen if they have another incident.
You will receive a message from Zerocopter outlining why and how long you are suspended from the Zerocopter marketplace and what will happen if you will have another incident.
You will receive a message from Zerocopter outlining why you are banned from the Zerocopter marketplace and your account will be terminated.
Warnings, program bans and suspension will be on record for 12 months. After that, they will expire and are not typically considered when reviewing new sanctions.
Please reach out to us if you think someone is violating the rules via [email protected].