If you think you may have found a security vulnerability, please get in touch with us at firstname.lastname@example.org.
Bug Bounty Program
WisePops relies on the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of findings. We currently pay rewards for P1, P2 & P3 vulnerabilities. Some P4 vulnerabilities also qualify for a reward.
- P1: $1,000 - $2,000
- P2: $500 - $1,000
- P3: $100 - $500
- P4: $50 - $100
Targets in scope
- app.wisepops.com/api2 (and api1)
- The behavior of WisePops on the clients' websites.
You can use our sandbox to test it:
(your hash is in bold in the setup code we provide in Settings > Websites)
Out of scope
- Any domain not explicitly mentioned as target in scope
Please do not perform:
- Distributed Denial of service attacks
- IP rotation to bypass our rate limits
- Attacks against our existing user base
- Social engineering, including phishing
- Spam on tracking.wisepops.com
- Tests that risk the availability of our services
Please do not report:
- CSRF vulnerabilities
- Stored XSS that impact only the users of your WisePops account
- Lack of user session invalidation at password change / password reset / logout
- Email existence disclosure when a human tests it against our sign-up & forgot password forms
- Reset password token leakage because third party services are able to read the JS object
- SSRF without internal impact
- Denial of service vulnerabilities that do not have a major impact for a single payload
We won't open attachments in the reports. Please provide any necessary information in plain text.
Access to our application
- Sign up for WisePops here. Please use White Hat as the company name.
- Drop us a message if you want to keep testing after the 14-days trial, we'll be happy to make your account never expire.
- Only test against accounts you have created.
- API documentation & hooks documentation.
WisePops supports and encourages security research into our services. When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and WisePops will not initiate or support legal action against you for accidental, good faith violations of this policy.
- Exempt from the Digital Millennium Copyright Act (DMCA), and WisePops will not bring a claim against you for circumvention of technology controls.
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and WisePops waives those restrictions on a limited basis for work done under this policy.
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.