Vulnerability Disclosure Program (VDP)
We genuinely value the support and expertise you bring to the table, making our systems rock-solid. Your responsible disclosure of security vulnerabilities plays a huge role in ensuring the safety and privacy of all our users. So, together, let’s keep things super secure! Wishing you the best of luck and happy hunting!
For the initial prioritization/rating of findings, this program will use the CVSS score. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher if applicable. Please note that the decision made by the Whatfix team would be final.
- P1 : 2000$ – 4000$
- P2 : 800$ – 1900$
- P3 : 300$ – 700$
- P4 : 100$ – 200$
Scope & Target Info
- Whatfix Editor Extension (see below for details)
- Whatfix Embed on website/ application (see below for details)
Out of Scope:
Testing is only authorized on the targets listed as in scope. Any domain/property of Whatfix not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to Whatfix, you can report it to this program. However, be aware that it is ineligible for monetary rewards.
- Whatfix Dashboard (whatfix.com/bugbounty_ent1/) & (whatfix.com/bugbounty_ent2/) – Researchers have been provided access to the Whatfix Dashboard through two different tenants. The Dashboard is used to manage content, users, and other account-level settings. a) All contents created by the Editor extension can be viewed. b) Users can create static content. These are the contents which do not need browser extensions to be used.
- Whatfix Editor Extension – This is a browser extension to create content. Supported browsers are Chrome and Firefox. a) How to install: Please follow this video for the installation instructions. b) How to use the extension: Please follow this video for usage instructions. c) Users can modify/delete content. d) User management. e) Other account-level operations: Please follow the self-help on the Whatfix dashboard for more feature details. Each page contains help about the relevant features.
- Whatfix Embed on website/ application – This enabled end users to consume the contents created by the Authors in steps 1 and 2. Whatfix is integrated with the application through script embed and users can view/run the flows without installing any extension.
For detailed information regarding the features and how they work please refer to the following support page: Get started
Rules & Exclusions
- Rate Limiting is a site-wide known issue and open for all endpoints
- Non-iterable IDOR will be considered as NA i.e. IDOR where enumeration of the vulnerable parameter is not possible
- Vulnerabilities that have been fixed by the vendor within the last 30 days (i.e. we will not accept reports that we are vulnerable to CVE-XXXX-XXXX within 30 days of the patch by the vendor to give our internal teams a chance to detect and patch the issue)
- DoS reports on Server/Data Center products related to lack of rate limiting, request flooding, resource exhaustion, or other similar network layer/volume based attacks are not accepted.
The following finding types are specifically excluded from the bounty (no payout):
- The use of Automated scanners is strictly prohibited (we have these tools too – don’t even think about using them)
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- Fingerprinting/banner disclosure on common/public services.
- Clickjacking and issues only exploitable through clickjacking.
- Logout Cross-Site Request Forgery (logout CSRF).
- Content Spoofing.
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Lack of Security Speedbump when leaving the site.
- Login or Forgot Password page brute force and account lockout not enforced.
- Username/email enumeration.
- Missing HTTP security headers, specifically (OWASP Secure Headers Project | OWASP Foundation ), e.g.
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
- Cache-Control and Pragma
- HTTP/DNS cache poisoning.
- SSL/TLS Issues, e.g.
- SSL Attacks such as BEAST, BREACH, and Renegotiation attacks.
- SSL Forward secrecy not enabled.
- SSL weak/insecure cipher suites.
- Self-XSS reports will not be accepted.
- Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.
- Known vulnerabilities in used libraries, or the reports that a Whatfix product uses an outdated third-party library (e.g. jQuery, Apache HttpComponents, etc) unless you can prove exploitability.
- Missing or incorrect SPF records of any kind.
- Missing or incorrect DMARC records of any kind.
- Source code disclosure vulnerabilities.
- Information disclosure of non-confidential information.
- The ability to upload/download viruses or malicious files to the platform.
- Request Flooding
- Lack of rate limiting
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
Hall of Fame
List of security researchers who have submitted valid vulnerability.
- Be the first to enter the Hall of Fame