If you think you may have found a security vulnerability, please get in touch with us at security@wisepops.com.
Bug Bounty Program
Wisepops relies on the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of findings. We currently pay rewards for P1, P2 & P3 vulnerabilities.
P1: $1,000 - $2,000
P2: $500 - $1,000
P3: $100 - $500
Do not send reports for P4 or P5 vulnerabilities, we don't reward them.
We strive to respond within 7 days.
Targets in scope
popups.wisepops.com
popups.wisepops.com/api2
id.wisepops.com
notifications.wisepops.com
popup.wisepops.com
tracking.wisepops.com
cdn.wisepops.com
wisepops.net
The behavior of Wisepops on the clients' websites.
You can use our sandbox to test it:
sandbox.wisepops.tech?hash=[YOUR HASH]
(your hash is in bold in the setup code we provide in Settings > Websites)
Out of scope
wisepops.com
support.wisepops.com
community.wisepops.com
Any domain not explicitly mentioned as target in scope
Please do not perform:
Distributed denial-of-service attacks
IP rotation to bypass our rate limits
Attacks against our existing user base
Social engineering, including phishing, and tricking our support team
Spam on tracking.wisepops.com
Tests that deliberately risk the availability of our services
Please do not report:
CSRF vulnerabilities
Stored XSS that impact only the users of your Wisepops account
Stored XSS that impact the final visitors (through JS callbacks or other campaign's settings)
Verification link not expiring after being used
Lack of user session invalidation at email change / logout
No verification of the old email address ownership before changing it
Insecure Cipher Suite
Email hyperlink injection based on Email Provider
SSRF without internal impact
Denial-of-service vulnerabilities that do not have a major impact for a single payload
We won't open attachments in the reports. Please provide any necessary information in plain text.
Access to our application
Sign up for Wisepops here. Please use White Hat as the company name.
Drop us a message if you want to keep testing after the 14-days trial, we'll be happy to make your account never expire.
Only test against accounts you have created.
Safe Harbor
Wisepops supports and encourages security research into our services. When conducting vulnerability research according to this policy, we consider this research to be:
Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and Wisepops will not initiate or support legal action against you for accidental, good faith violations of this policy.
Exempt from the Digital Millennium Copyright Act (DMCA), and Wisepops will not bring a claim against you for circumvention of technology controls.
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and Wisepops waives those restrictions on a limited basis for work done under this policy.
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.