Vulnerability Disclosure Program (VDP)

We genuinely value the support and expertise you bring to the table, making our systems rock-solid. Your responsible disclosure of security vulnerabilities plays a huge role in ensuring the safety and privacy of all our users. So, together, let’s keep things super secure! Wishing you the best of luck and happy hunting!

Rules & Exclusions

1. Rate Limiting is a site-wide known issue and open for all endpoints
2. Non-iterable IDOR will be considered as NA i.e. IDOR where enumeration of the vulnerable parameter is not possible
3. Vulnerabilities that have been fixed by the vendor within the last 30 days (i.e. we will not accept reports that we are vulnerable to CVE-XXXX-XXXX within 30 days of the patch by the vendor to give our internal teams a chance to detect and patch the issue)
4. DoS reports on Server/Data Center products related to lack of rate limiting, request flooding, resource exhaustion, or other similar network layer/volume based attacks are not accepted.

The following finding types are specifically excluded from the bounty (no payout):

• The use of Automated scanners is strictly prohibited (we have these tools too – don’t even think about using them)
• Descriptive error messages (e.g. Stack Traces, application or server errors).
• Fingerprinting/banner disclosure on common/public services.
• Clickjacking and issues only exploitable through clickjacking.
• Logout Cross-Site Request Forgery (logout CSRF).
• Content Spoofing.
• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
• Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
• Lack of Security Speedbump when leaving the site.
• Login or Forgot Password page brute force and account lockout not enforced.
• Username/email enumeration.
• Missing HTTP security headers, specifically (OWASP Secure Headers Project | OWASP Foundation ), e.g.
  • Strict-Transport-Security.
  • X-Frame-Options.
  • X-XSS-Protection.
  • X-Content-Type-Options.
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
  • Content-Security-Policy-Report-Only.
  • Cache-Control and Pragma
• HTTP/DNS cache poisoning.
• SSL/TLS Issues, e.g.
  • SSL Attacks such as BEAST, BREACH, and Renegotiation attacks.
  • SSL Forward secrecy not enabled.
  • SSL weak/insecure cipher suites.
• Self-XSS reports will not be accepted.
  • Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.
• Known vulnerabilities in used libraries, or the reports that a Whatfix product uses an outdated third-party library (e.g. jQuery, Apache HttpComponents, etc) unless you can prove exploitability.
• Missing or incorrect SPF records of any kind.
• Missing or incorrect DMARC records of any kind.
• Source code disclosure vulnerabilities.
• Information disclosure of non-confidential information.
• The ability to upload/download viruses or malicious files to the platform.
• Request Flooding
• Lack of rate limiting

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

Hall of Fame

List of security researchers who have submitted valid vulnerability.

• Parth Narula