Wisepops

If you think you may have found a security vulnerability, please get in touch with us at <a href="mailto:security@wisepops.com" rel="nofollow noopener noreferrer" target="_blank">security@wisepops.com</a>.

Wisepops relies on the <a href="https://bugcrowd.com/vulnerability-rating-taxonomy" rel="nofollow noopener noreferrer" target="_blank">Bugcrowd Vulnerability Rating Taxonomy</a> for the prioritization of findings. We currently pay rewards for P1, P2 &amp; P3 vulnerabilities.

- P1: $1,000 - $2,000
- P2: $500 - $1,000
- P3: $100 - $500

Do not send reports for P4 or P5 vulnerabilities, we don't reward them.

The behavior of Wisepops on the clients' websites. You can use our sandbox to test it: sandbox.wisepops.tech?hash=[YOUR HASH] (your hash is in bold in the setup code we provide in <a href="https://app.wisepops.com/f/settings/websites" rel="nofollow noopener noreferrer" target="_blank">Settings &gt; Websites</a>)

- popups.wisepops.com
- popups.wisepops.com/api2
- id.wisepops.com
- notifications.wisepops.com
- popup.wisepops.com
- tracking.wisepops.com
- cdn.wisepops.com
- wisepops.net
- The behavior of Wisepops on the clients' websites. You can use our sandbox to test it: sandbox.wisepops.tech?hash=[YOUR HASH] (your hash is in bold in the setup code we provide in <a href="https://app.wisepops.com/f/settings/websites" rel="nofollow noopener noreferrer" target="_blank">Settings &gt; Websites</a>)

Any domain not explicitly mentioned as target in scope

- wisepops.com
- support.wisepops.com
- community.wisepops.com
- Any domain not explicitly mentioned as target in scope

Social engineering, including phishing, and tricking our support team

Tests that deliberately risk the availability of our services

- Distributed denial-of-service attacks
- IP rotation to bypass our rate limits
- Attacks against our existing user base
- Social engineering, including phishing, and tricking our support team
- Spam on tracking.wisepops.com
- Tests that deliberately risk the availability of our services

Stored XSS that impact only the users of your Wisepops account

Stored XSS that impact the final visitors (through <a href="https://intercom.help/wisepops/en/articles/9898334-introduction-to-js-callbacks" rel="nofollow noopener noreferrer" target="_blank">JS callbacks</a> or other campaign's settings)

Verification link not expiring after being used

Lack of user session invalidation at password change / password reset / logout

No verification of the old email address ownership before changing it

Email hyperlink injection based on Email Provider

Denial-of-service vulnerabilities that do not have a major impact for a single payload

- CSRF vulnerabilities
- Stored XSS that impact only the users of your Wisepops account
- Stored XSS that impact the final visitors (through <a href="https://intercom.help/wisepops/en/articles/9898334-introduction-to-js-callbacks" rel="nofollow noopener noreferrer" target="_blank">JS callbacks</a> or other campaign's settings)
- Verification link not expiring after being used
- Lack of user session invalidation at password change / password reset / logout
- No verification of the old email address ownership before changing it
- Email hyperlink injection based on Email Provider
- SSRF without internal impact
- Denial-of-service vulnerabilities that do not have a major impact for a single payload

We won't open attachments in the reports. Please provide any necessary information in plain text.

Sign up for Wisepops <a href="https://popups.wisepops.com/" rel="nofollow noopener noreferrer" target="_blank">here</a>. Please use White Hat as the company name.

<a href="https://wisepops.com/contact-us/" rel="nofollow noopener noreferrer" target="_blank">Drop us a message</a> if you want to keep testing after the 14-days trial, we'll be happy to make your account never expire.

Only test against accounts you have created.

<a href="https://intercom.help/wisepops/en/articles/9897479-wisepops-api-documentation" rel="nofollow noopener noreferrer" target="_blank">API documentation</a> &amp; <a href="https://support.wisepops.com/en/articles/572421-leverage-web-hooks">hooks documentation</a>.

- Sign up for Wisepops <a href="https://popups.wisepops.com/" rel="nofollow noopener noreferrer" target="_blank">here</a>. Please use White Hat as the company name.
- <a href="https://wisepops.com/contact-us/" rel="nofollow noopener noreferrer" target="_blank">Drop us a message</a> if you want to keep testing after the 14-days trial, we'll be happy to make your account never expire.
- Only test against accounts you have created.
- <a href="https://intercom.help/wisepops/en/articles/9897479-wisepops-api-documentation" rel="nofollow noopener noreferrer" target="_blank">API documentation</a> &amp; <a href="https://support.wisepops.com/en/articles/572421-leverage-web-hooks">hooks documentation</a>.

Wisepops supports and encourages security research into our services. When conducting vulnerability research according to this policy, we consider this research to be:

Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and Wisepops will not initiate or support legal action against you for accidental, good faith violations of this policy.

Exempt from the Digital Millennium Copyright Act (DMCA), and Wisepops will not bring a claim against you for circumvention of technology controls.

Exempt from restrictions in our Terms &amp; Conditions that would interfere with conducting security research, and Wisepops waives those restrictions on a limited basis for work done under this policy.

Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and Wisepops will not initiate or support legal action against you for accidental, good faith violations of this policy.
- Exempt from the Digital Millennium Copyright Act (DMCA), and Wisepops will not bring a claim against you for circumvention of technology controls.
- Exempt from restrictions in our Terms &amp; Conditions that would interfere with conducting security research, and Wisepops waives those restrictions on a limited basis for work done under this policy.
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.

Vulnerability Reports & Bug Bounty Program

Sign In

Community

Find answers and get help from Intercom Support and Community Experts

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Title

Track the progress of all tickets related to your company.

Tickets portal.

{assigneeName} needs more information from you

Tickets

No access to tickets portal

English

url(https://downloads.intercomcdn.com/i/o/579161/2e06c7922e106be8f82d5e53/319f640cfec22562271cfd2cedac6499.png)

Bug Bounty Program

Targets in scope

Out of scope

Access to our application

Safe Harbor