Banner object (1)

5307 policies in database
  Back Link to program      
Vonage logo
Hall of Fame


Vonage is committed to providing a secure environment for their customers to conduct business. As part of this commitment, we engage the efforts of the white hat community to identify potential vulnerabilities in our system. This program works in concert with internal teams to continually improve our overall security posture.


Our program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority.

This program only awards points for VRT based submissions.


In scope

Target name | Type
---|--- | Other

Out of scope

Target name | Type
---|--- | Website Testing | Website Testing | Android | Website Testing | Website Testing | Website Testing | Website Testing
<> | Website Testing

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Vonage not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting.

Vonage has three main business units which will incrementally be included in the scope for this engagement. We are starting with our Contact Center as a Service (CCASS) platform ( and later include the CPASS and UCASS platforms. Be on the lookout for future updates on this program.

Focus Areas

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Sensitive data exposure

Rate Limiting

Vonage web properties utilize WAF technology that will block high rate traffic that it deems to be malicious. If this occurs discontinue your activity for a period of 24 hours. If the block is not removed please contact with your IP address and the HTTP response codes. please include a brief description of the testing you were performing.

Exclusion List

Finding types that are specifically excluded from the program:

  • DMARC configuration errors
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure and HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Username enumeration via Login Page error message
  • Username enumeration via Forgot Password error message
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS / TRACE HTTP method enabled
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL Insecure cipher suites
  • The Anti-MIME-Sniffing header X-Content-Type-Options
  • Missing HTTP security headers

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name

Out of Scope

Scope Type Scope Name








This program have been found on Bugcrowd on 2019-12-19.

FireBounty © 2015-2020

Legal notices