At Pushwoosh, we take the security of our users’ data very seriously. We introduce Bug Bounty program and encourage those bounty hunters who have discovered potential security vulnerabilities in Pushwoosh service to disclose it to us in a responsible manner.
We will work with security researchers to validate and respond to vulnerabilities that are reported to us. If you previously responsibly disclosed a vulnerability to us, thank you. Please ping us again with a confirmation so we can add you to our Hall Of Fame. Our list of contributors continues to live on at Hackerone, Bugcrowd and on our website.
Sending a bug report
Only original, previously unreported bugs will be taken into account. Please submit only one issue per ticket.
What should be included in your report:
- Thoroughly described ways to reproduce the particular bug
- How this vulnerability can be exploit/potentially exploit
Would be highly appreciated:
- Screenshot or video with a penetration demonstration
The target hosts for this bounty are:
Top level pushwoosh.com and docs.pushwoosh.com are specifically excluded from this bounty.
The following will not qualify for the bug bounty program:
- Login Page / Forgot Password Page Account bruteforce or account lockout not enforced
- Disclosure of known public files or directories, (e.g. robots.txt)
- Password policy
- Any CSRF
- Open redirect
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)
- Reports from security scanners and other automatic systems
- Vulnerability reports based solely on the software version / protocol without a valid proof of concept
Creating the Account:
You must use the pentester_anyCharacters@any.domain email alias when signing up for pushwoosh.com accounts that will be used to participate in this bounty.
Accounts not following these rules will be suspended without warning. You can find full information about the Pushwoosh Bug Bounty program on our website.
Endless kudos to all the participants!