Wisepops

If you think you may have found a security vulnerability, please get in touch with us at <a href="mailto:security@wisepops.com" rel="nofollow noopener noreferrer" target="_blank">security@wisepops.com</a>.

Wisepops relies on the <a href="https://bugcrowd.com/vulnerability-rating-taxonomy" rel="nofollow noopener noreferrer" target="_blank">Bugcrowd Vulnerability Rating Taxonomy</a> for the prioritization of findings. We currently pay rewards for P1, P2 &amp; P3 vulnerabilities.

- P1: $1,000 - $2,000
- P2: $500 - $1,000
- P3: $100 - $500

Do not send reports for P4 or P5 vulnerabilities, we don't reward them.

We won't open attachments in the reports. Please provide any necessary information in plain text.

app.wisepops.com/api2 (<a href="https://intercom.help/wisepops/en/articles/9897479-wisepops-api-documentation" rel="nofollow noopener noreferrer" target="_blank">API documentation</a> &amp; <a href="https://support.wisepops.com/en/articles/9897509-webhooks">hooks documentation</a>)

The behavior of Wisepops on the clients' websites. You can use our sandbox to test it: sandbox.wisepops.tech?hash=[YOUR HASH] (your hash is in bold in the setup code we provide in <a href="https://app.wisepops.com/f/settings/websites" rel="nofollow noopener noreferrer" target="_blank">Settings &gt; Websites</a>)

- id.wisepops.com
- popups.wisepops.com
- notifications.wisepops.com
- wisepops.net
- cdn.wisepops.net
- cdn.wisepops.com
- app.wisepops.com/api2 (<a href="https://intercom.help/wisepops/en/articles/9897479-wisepops-api-documentation" rel="nofollow noopener noreferrer" target="_blank">API documentation</a> &amp; <a href="https://support.wisepops.com/en/articles/9897509-webhooks">hooks documentation</a>)
- The behavior of Wisepops on the clients' websites. You can use our sandbox to test it: sandbox.wisepops.tech?hash=[YOUR HASH] (your hash is in bold in the setup code we provide in <a href="https://app.wisepops.com/f/settings/websites" rel="nofollow noopener noreferrer" target="_blank">Settings &gt; Websites</a>)

Any domain not explicitly mentioned as target in scope

- wisepops.com
- support.wisepops.com
- community.wisepops.com
- Any domain not explicitly mentioned as target in scope

To test our application, please send a message to <a href="mailto:security@wisepops.com" rel="nofollow noopener noreferrer" target="_blank">security@wisepops.com</a> with the email address(es) for which you would like account(s) to be created.

Only test against accounts we have created for you.

Social engineering, including phishing, and tricking our support team

Spam, flooding, or volume-based abuse of any of our tracking, event, or lead-ingestion endpoints (e.g. wisepops.net/_.gif)

Tests that deliberately risk the availability of our services

- Distributed denial-of-service attacks
- IP rotation to bypass our rate limits
- Attacks against our existing user base
- Social engineering, including phishing, and tricking our support team
- Spam, flooding, or volume-based abuse of any of our tracking, event, or lead-ingestion endpoints (e.g. wisepops.net/_.gif)
- Tests that deliberately risk the availability of our services

Stored XSS that impact the final visitors (through <a href="https://intercom.help/wisepops/en/articles/9898334-introduction-to-js-callbacks" rel="nofollow noopener noreferrer" target="_blank">JS callbacks</a> or other campaign's settings)

Verification link not expiring after being used

Lack of user session invalidation at email change / logout

No verification of the old email address ownership before changing it

Email hyperlink injection based on Email Provider

Denial-of-service vulnerabilities that do not have a major impact for a single payload

URLs indexed by web crawlers or archivers

- CSRF vulnerabilities
- Stored XSS that impact the final visitors (through <a href="https://intercom.help/wisepops/en/articles/9898334-introduction-to-js-callbacks" rel="nofollow noopener noreferrer" target="_blank">JS callbacks</a> or other campaign's settings)
- Verification link not expiring after being used
- Lack of user session invalidation at email change / logout
- No verification of the old email address ownership before changing it
- Insecure Cipher Suite
- Missing MTA-STS policy
- Email hyperlink injection based on Email Provider
- SSRF without internal impact
- Denial-of-service vulnerabilities that do not have a major impact for a single payload
- URLs indexed by web crawlers or archivers
- Multiple owners due to race condition

Wisepops supports and encourages security research into our services. When conducting vulnerability research according to this policy, we consider this research to be:

Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and Wisepops will not initiate or support legal action against you for accidental, good faith violations of this policy.

Exempt from the Digital Millennium Copyright Act (DMCA), and Wisepops will not bring a claim against you for circumvention of technology controls.

Exempt from restrictions in our Terms &amp; Conditions that would interfere with conducting security research, and Wisepops waives those restrictions on a limited basis for work done under this policy.

Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and Wisepops will not initiate or support legal action against you for accidental, good faith violations of this policy.
- Exempt from the Digital Millennium Copyright Act (DMCA), and Wisepops will not bring a claim against you for circumvention of technology controls.
- Exempt from restrictions in our Terms &amp; Conditions that would interfere with conducting security research, and Wisepops waives those restrictions on a limited basis for work done under this policy.
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.

Vulnerability Reports & Bug Bounty Program

Create a custom design with text, images, and links

Sign In

Community

Find answers and get help from Intercom Support and Community Experts

Conversations you've started through the messenger will appear here.

No conversations created by you

Try using different keywords or checking for typos.

No conversations found

Title

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Empty Help Center

Uh oh. That page doesn’t exist.

Home

Search results

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Vulnerability Reports & Bug Bounty Program

Bug Bounty Program

Targets in scope

Out of scope

Access to our application

Please do not perform

Known findings we don't reward

Safe Harbor