If you think you may have found a security vulnerability, please get in touch with us at security@wisepops.com.

Bug Bounty Program

WisePops relies on the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of findings. We currently pay rewards for P1, P2 & P3 vulnerabilities. Some P4 vulnerabilities also qualify for a reward.

  • P1: $1,000 - $2,000
  • P2: $500 - $1,000
  • P3: $100 - $500
  • P4: $50 - $100

Targets in scope

  • app.wisepops.com
  • app.wisepops.com/api2 (and api1)
  • The behavior of WisePops on the clients' websites. You can use our sandbox to test it:
    sandbox.wisepops.tech?hash=[YOUR HASH]
    (your hash is in bold in the setup code we provide in Settings > Websites)

Out of scope

  • wisepops.com

Please do not perform:

  • Denial of service attacks
  • Attacks against our existing user base
  • Phishing
  • Social engineering
  • Spam on tracking.wisepops.com
  • Tests that risk the availability of our services

Please do not report:

  • CSRF vulnerabilities
  • User session invalidation at password change / password reset / logout
  • Stored XSS that impact only the users of your WisePops account

Access to our application

Safe Harbor

WisePops supports and encourages security research into our services. When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and WisePops will not initiate or support legal action against you for accidental, good faith violations of this policy.
  • Exempt from the Digital Millennium Copyright Act (DMCA), and WisePops will not bring a claim against you for circumvention of technology controls.
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and WisePops waives those restrictions on a limited basis for work done under this policy.
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.


Did this answer your question?