Scam Alert: zetrix.com — Reports Rejected, No Response
Company / Program: zetrix.com
Platform: Self-Hosted · Severity: high · Scam type: no-payout
Published:
Reported by: Muhammad Zeeshan
# Zetrix Bug Bounty Program – Disputed Vulnerability Handling
Account takeover,html injection,email verification,stored xss,otp bypass
I reported multiple high-severity vulnerabilities to the Zetrix bug bounty program, including:
* Zero-click account takeover allowing an attacker to change or reset a victim's email address.
* 2X Email HTML injection.
* Email verification bypass.
* Stored XSS via SVG upload.
* OTP bypass affecting the main exchange platform.
After a few days, I received a response stating that one of the reported issues did not qualify for a bounty. However, no technical explanation or detailed reasoning was provided. Additionally, I did not receive any response regarding several other reported vulnerabilities, including the OTP bypass and stored XSS findings.
Later, while reviewing the affected systems, I noticed that some of the reported vulnerabilities appeared to have been fixed. Despite this, I did not receive confirmation of remediation, acknowledgment of the findings, or further communication regarding bounty eligibility.
My concern is not only the bounty decision itself, but also the lack of transparency and communication regarding the reported vulnerabilities and their subsequent remediation.