Zarrino Bug Bounty

Help keep Zarrino and our products safe. Report verified vulnerabilities, get rewarded up to 500,000,000 Tomans, and help protect users and their data.

500M

Maximum Reward

3-7

Days Response Time

100%

Safe Harbor Protection

What We Protect

Our bug bounty program covers critical infrastructure across multiple products, with special focus on user data protection.

Herlife

Health, medical, and PII data exposure treated as especially critical. We prioritize user privacy above all.

Internal Services

Access control violations and data exfiltration that could compromise internal systems are critical findings.

Reward Framework

Rewards are determined by severity, exploitability, user impact, and data sensitivity. All amounts in Tomans.

Critical

500,000,000Toman

Up to this amount

•RCE on production servers
•Full database export of PII/health records
•Massive deface or financial takeover

High

200,000,000Toman

Up to this amount

•Wide-scoped IDOR exposing sensitive data
•SSRF to internal metadata revealing secrets
•Authentication bypass
•Arbitrary financial balance modification

Medium

50,000,000Toman

Up to this amount

•Stored XSS that can steal tokens
•Limited SQLi exposing records
•Privilege escalation with limited scope

Low

10,000,000Toman

Up to this amount

•Open redirects
•Minor information leaks
•Low-impact misconfigurations

Informational

Non-monetary acknowledgment

•Best practice recommendations

•Minor security improvements

•Documentation issues

•Non-exploitable findings

In-Scope Assets

Test only the domains and services listed below unless you receive written confirmation from Zarrino security.

Primary

Herlife

Authorized testing targets

app.herlife.app/*

Herlife PWA / Android wrapper

api.herlife.app/*

Herlife API

*.herlifeapp.ir/*

Herlife website

Primary

Corporate

Authorized testing targets

zarrino.io

Corporate landing site

*.zarrino.tech

Internal/service subdomains

Secondary Assets (Lower Priority)

herlifeapp.com

Rules of Engagement

Follow these guidelines to ensure your testing is safe, legal, and eligible for rewards.

Do

✓Test only assets listed in the in-scope section
✓Limit the amount of real user data you access
✓Provide clear PoC and reproduction steps
✓Use responsible testing methods that avoid disrupting production
✓Stop immediately after confirming PII exposure and notify us

Do NOT

✗Perform social engineering, phishing, or physical attacks
✗Run destructive actions that delete or modify customer data
✗Conduct large-scale brute-force or DDoS-style tests
✗Attempt to extort or publicly disclose before coordination
✗Download or store more PII than necessary for demonstration

Legal Safe Harbor

Zarrino will not pursue legal action against researchers who follow the program rules and coordinate disclosure in good faith. If you anticipate actions outside normal bounds, contact us first at security@zarrino.tech

Submission Process

From discovery to reward in four simple steps.

Discover Vulnerability

Test in-scope assets following our rules. Document your findings with clear reproduction steps.

Submit Report

Email security@zarrino.tech with PoC, impact assessment, and reproduction steps.

Validation & Triage

We'll acknowledge within 3-7 days and validate within 7-30 days depending on complexity.

Get Rewarded

Once validated and fixed, receive your reward based on severity and impact.

Required Report Contents

1Short summary of the issue and affected endpoints
2Clear, step-by-step reproduction steps
3Runnable PoC code, curl commands, or screenshots
4Exact user accounts or test data used
5Impact assessment: data accessible, users affected, abuse potential
6Mitigation ideas or suggested fixes (optional)

Reports missing reproducible steps or PoC will be harder to validate and may not receive the full reward.

Ready to Submit?

Email your report to

security@zarrino.tech

Subject: [BugBounty] <short title> - <domain/endpoint>

Submit Your Report

Zarrino Bug Bounty

Help keep Zarrino and our products safe. Report verified vulnerabilities, get rewarded up to 500,000,000 Tomans, and help protect users and their data.

500M

Maximum Reward

3-7

Days Response Time

100%

Safe Harbor Protection

What We Protect

Our bug bounty program covers critical infrastructure across multiple products, with special focus on user data protection.

Herlife

Health, medical, and PII data exposure treated as especially critical. We prioritize user privacy above all.

Internal Services

Access control violations and data exfiltration that could compromise internal systems are critical findings.

Reward Framework

Rewards are determined by severity, exploitability, user impact, and data sensitivity. All amounts in Tomans.

Critical

500,000,000Toman

Up to this amount

•RCE on production servers
•Full database export of PII/health records
•Massive deface or financial takeover

High

200,000,000Toman

Up to this amount

•Wide-scoped IDOR exposing sensitive data
•SSRF to internal metadata revealing secrets
•Authentication bypass
•Arbitrary financial balance modification

Medium

50,000,000Toman

Up to this amount

•Stored XSS that can steal tokens
•Limited SQLi exposing records
•Privilege escalation with limited scope

Low

10,000,000Toman

Up to this amount

•Open redirects
•Minor information leaks
•Low-impact misconfigurations

Informational

Non-monetary acknowledgment

•Best practice recommendations

•Minor security improvements

•Documentation issues

•Non-exploitable findings

In-Scope Assets

Test only the domains and services listed below unless you receive written confirmation from Zarrino security.

Primary

Herlife

Authorized testing targets

app.herlife.app/*

Herlife PWA / Android wrapper

api.herlife.app/*

Herlife API

*.herlifeapp.ir/*

Herlife website

Primary

Corporate

Authorized testing targets

zarrino.io

Corporate landing site

*.zarrino.tech

Internal/service subdomains

Secondary Assets (Lower Priority)

herlifeapp.com

Rules of Engagement

Follow these guidelines to ensure your testing is safe, legal, and eligible for rewards.

Do

✓Test only assets listed in the in-scope section
✓Limit the amount of real user data you access
✓Provide clear PoC and reproduction steps
✓Use responsible testing methods that avoid disrupting production
✓Stop immediately after confirming PII exposure and notify us

Do NOT

✗Perform social engineering, phishing, or physical attacks
✗Run destructive actions that delete or modify customer data
✗Conduct large-scale brute-force or DDoS-style tests
✗Attempt to extort or publicly disclose before coordination
✗Download or store more PII than necessary for demonstration

Legal Safe Harbor

Submission Process

From discovery to reward in four simple steps.

Discover Vulnerability

Test in-scope assets following our rules. Document your findings with clear reproduction steps.

Submit Report

Email security@zarrino.tech with PoC, impact assessment, and reproduction steps.

Validation & Triage

We'll acknowledge within 3-7 days and validate within 7-30 days depending on complexity.

Get Rewarded

Once validated and fixed, receive your reward based on severity and impact.

Required Report Contents

1Short summary of the issue and affected endpoints
2Clear, step-by-step reproduction steps
3Runnable PoC code, curl commands, or screenshots
4Exact user accounts or test data used
5Impact assessment: data accessible, users affected, abuse potential
6Mitigation ideas or suggested fixes (optional)

Reports missing reproducible steps or PoC will be harder to validate and may not receive the full reward.

Ready to Submit?

Email your report to

security@zarrino.tech

Subject: [BugBounty] <short title> - <domain/endpoint>

Submit Your Report