By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.

Introduction

Zopa is committed to protecting the security of our customers, their data, and our products. We welcome vulnerability reports from the security community through our Vulnerability Disclosure Program. This program enables researchers to responsibly report potential security issues across our in scope systems in a safe and legally protected way, without the expectation of monetary reward.

Any useful infrastructure information:

The in-scope domains are public, product-focused APIs used by our web and mobile applications. The Android and iOS applications do share the same API endpoints.

The entry point for web is www.zopa.com. Self-registration is possible via the mobile applications, and those credentials can then be used on web.

Navigating the website, logging in on web or mobile, performing actions and applying for products will trigger API requests to the in-scope domains, each of which will have a relatively tightly scoped purpose (i.e. authentication for auth.zopa.com) or is responsible for a product or part of a product (i.e. currents accounts for current-accounts-mobile-bff.zopa.com). The purpose can usually be inferred from the name and relevant screens.

Feedback
If you would like to help us improve our program or have some feedback to share, please send your anonymous feedback here:

Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Known Issues (date last updated: 26/08/2025)

The following items are known and do not require reporting:

• Cookie scoped to parent domain
  • Certain cookies are intentionally scoped to cover subdomains
• CORS configuration
  • Current configurations are expected and do not present a security risk as requests still require proper authentication
• Missing security-related HTTP headers
  • Standard protections are already applied where required, some headers are managed at the edge, and a few have been assessed as non-essential

Domains

• Any domains, systems or services not explicitly listed as in scope
  • e.g. Email, SSO, third party domains or services, or any other Zopa or DivideBuy domains

General

• Vulnerabilities already tracked by Zopa from other types of testing will be considered duplicates
• Vulnerabilities that have no proven impact
  • e.g. HTTP request smuggling with no proven impact
  • e.g. Out-of-date front-end libraries without PoC
• SSL/TLS vulnerabilities without PoC
  • e.g. the use of wildcard certificates
• Any social engineering of Zopa's customers or customer support
  • Including unrealistically complex end-user interaction being required for exploitation
• Vulnerabilities that require physical access to user's device or an assumed account breach
• DoS/DDOS, including any issue where the sole impact is loss of availability.
• Brute-force attacks
  • Including spamming services that would cause financial loss i.e. SMS OTP
• Software version disclosures via banners, error messages, or elsewhere
• Verbose error messages without any sensitive data included (i.e. stack trace, application error, server error)
• API key disclosure for non-sensitive use-cases (such as analytics platforms) or with no proven exploitability
• Leaked information that did not originate from a vulnerability in Zopa's systems
• Any activities prohibited at a platform level, such as AWS Prohibited Activities

Web Applications / APIs

• Username / email address enumeration
• Cookie Security Flags and Scope
• Autocomplete attribute on input forms
• Metadata on hosted documentation
• HTTP security headers
• Sessions not being invalidated but left to timeout
• Homograph / homoglyph attacks
• Arbitrary file upload without access to the file or proof that the upload was successful
• Authorisation issues on paths that are not feasible for an attacker to enumerate unless proven otherwise
  • i.e. secured by GUIDs
• GraphQL introspection or batch attacks without proven business impact

This program follows Intigriti's triage standards based on the proof of concept.

Do you offer paid bounties?

Yes, but not through this VDP. We do run a private bug bounty program, and strong, well-written submissions through this VDP may be considered for future invitations to that program.