Zilllow Group Vulnerability Disclosure Policy
Zillow’s mission is to give people the power to unlock life’s next chapter, and our customers rely on Zillow and its affiliates to help them complete real estate transactions with reliability and confidence as real estate’s most trusted brand. We work hard to earn and keep that trust by protecting the information our customers provide to us, and Zillow encourages and rewards the responsible disclosure of security vulnerabilities.
This policy sets out our expectations and requirements for responsible disclosure. If you believe you have discovered a security vulnerability in one of our products, services, sites, or apps, we encourage you to fill out the form below.
We partner with Bugcrowd to validate and assess reported vulnerabilities. For the initial prioritization/rating of findings, we use the Bugcrowd Vulnerability Rating Taxonomy.
Rules of Engagement:
- Provide details of the vulnerability finding, including information needed to reproduce and validate the report.
- Ensure that communication with our personnel happens exclusively through the defined channels in this policy.
- Do not disclose any specific, non-public data (e.g., customer records, passwords) outside of the approved reporting channels described in this policy (e.g., in a chat room, on social media, to your friends).
- Do not intentionally access or modify data in an account that does not belong to you. If you require an account to test a potential vulnerability, please contact bugbounty@zillowgroup.com.
- Do not execute, or attempt to execute, brute-force attacks or “Denial of Service” attacks of any kind.
- Do not attempt to conduct any post-exploitation activities including, but not limited to, modification, destruction, or exfiltration (for reporting purposes a database table listing is enough) of data, or uploading malicious software (e.g., php webshell, malicious javascript, etc).
- Do not attempt to target our customers, partners, or personnel, including social engineering attacks or phishing attacks.
- Do not perform physical attacks of any kind against our facilities.
- Do not use automated active scanners, crawlers, or tools (e.g., Burp Suite, nmap). Passive scanners are allowed.
- Do not intentionally interfere with, obstruct, degrade, or otherwise impair the proper functioning of any ZIllow product, service, website, or application.
- Your activity must comply with all applicable laws and regulations.
NOTE: Please do not use third-party sites when doing testing (for instance, <yourdomains>@xss.ht) – while we understand the use case and value of this testing, when doing blind XSS (or any) testing, this policy requires that you utilize only assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, all of it must go through domains over which you have control.
Safe Harbor
We believe that responsible disclosure makes the internet safer for all of us, and will not take legal action against, nor suspend or terminate the accounts of, researchers who discover and report security vulnerabilities in good faith and in accordance with this Vulnerability Disclosure Policy.
Other than security research performed in compliance with this policy, the use of Zillow’s products, services, websites, and apps is subject to the applicable Terms of Use for each service. This policy does not waive any of Zillow’s rights under those terms.
Note that we cannot authorize any security research activity targeting third parties, and Zillow is not responsible for any such activity, even if the third-party system or data is accessible through Zillow’s services.
To protect your privacy, we will not, unless required by law or to address a violation of this policy, share your personal information with third parties or share your research without permission.
We require that you wait for written confirmation that the vulnerability has been patched before disclosing the vulnerability publicly. If applicable, we will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via bugbounty@zillowgroup.com before going any further.