At Pushwoosh, we take the security of our users’ data very seriously. We introduce Bug Bounty program and encourage those bounty hunters who have discovered potential security vulnerabilities in Pushwoosh service to disclose it to us in a responsible manner.
We will work with security researchers to validate and respond to vulnerabilities that are reported to us. If you previously responsibly disclosed a vulnerability to us, thank you. Please ping us again with a confirmation so we can add you to our Hall Of Fame. Our list of contributors continues to live on at Hackerone, and on our website.
We’re trying to respond as fast as we can, but It may take us up to 14 days to process a new report.
Sending a bug report
Only original, previously unreported bugs will be taken into account. Please submit only one issue per ticket.
What should be included in your report:
- Thoroughly described ways to reproduce the particular bug
- How this vulnerability can be exploit/potentially exploit
Would be highly appreciated:
- Screenshot or video with an exploit demonstration
Targets
The target host for this bounty is:
- go.pushwoosh.com
Pushwoosh.com, docs.pushwoosh.com, community.pushwoosh.com and any other subdomains are specifically excluded from this bounty.
The following will not qualify for the bug bounty program:
- Any kind of brute force
- Disclosure of known public files or directories, (e.g. robots.txt)
- DDOS
- Password policy
- Any CSRF
- Open redirect
- Missing cookie secure flag
- DNSSEC not configured
- Missing SPF DNS record
- Missing HTTP security headers, specifically this one
- Any CSV Macro Injection
- Reports from security scanners and other automatic systems
- Vulnerability reports based solely on the software version / protocol
Creating the Account:
You must use the pentester_anyCharacters@any.domain email alias when signing up for pushwoosh.com accounts that will be used to participate in this bounty.
Accounts not following these rules will be suspended without warning. You can find full information about the Pushwoosh Bug Bounty program on our website.
Endless kudos to all the participants!