Wickr
The Wickr Bug Bounty Program is designed to encourage responsible security research focused on Wickr software. It is impossible to overstate the importance of the role the security research community plays in ensuring modern software remains secure. Hunters, academics, security engineers and evangelists have been responsible for some of the most cutting-edge, eye-opening security revelations to date. Their work speeds the pace of advancing security to the benefit of all. Through this program and partnerships with InfoSec organizations, we pledge to continuously improve the security and usability of our network, keeping Wickr as one of the most trusted messaging platforms in the world.
The scope of this program is limited to technical security vulnerabilities in Wickr software.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Wickr services
Under no circumstances should your testing affect the availability of Wickr services, disrupt or compromise any data that is not your own, or violate any law or our Terms of Service.
Only interact with accounts you own or granted by the program team.
Please do NOT test with or otherwise target common Wickr email aliases (support@, sales@, info@, etc...) due to the risk of disruption to those accounts.
Scanners must be configured to not send more than 5 requests per second to any particular asset. If this restriction is severely detrimental to your testing, then please reach out for an exception.
Please DO help us identify test networks by using email addresses and network names that begin or end with "H1".
Additionally, include a user-agent string in all requests, where applicable, in this format: wickrvrpresearcher_yourh1username
Please do not use 3rd party sites when doing testing (for instance, <yourdomains>@xss (https://hackerone.com/xss).ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!
Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party without explicit authorization from Wickr.
Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Our rewards are based on the impact of a vulnerability. Scores below are in CVSS. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Wickr. A bounty of $100,000 may be awarded for attacks that compromise the integrity or confidentiality of user messages. Novel solutions to reported security issues are also concerned when determining reward amounts. Reports resolved by a singular fix will be grouped and rewarded within a singular submission.
Note that we have designed our products around the concept of defense in depth and an untrusted server. This means that some vulnerabilities that might be high or critical at other companies have a lower severity at Wickr because the result is mitigated by compensating security controls. We take all flaws seriously, but for higher payouts, the report must demonstrate direct impact to Wickr’s secure messaging. Reports for attacks that target our administrative console or those that would only realistically impact the availability of services may receive lower severity ratings and rewards.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Clickjacking on pages with no sensitive actions.
Unauthenticated/logout/login CSRF.
Missing SPF/DKIM/DMARC records.
Attacks requiring MITM or physical access to a user's device.
Vulnerabilities that rely on deprecated client/browser versions.
Security issues on test environments without direct customer or service impact.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Lack of client logout option in SSO mode
Zero-Days or CVE’s disclosed publicly within the past 30 day
Operational Security Issues:
The goal of this program is to improve the security of our services for customers. While we understand that "Operational Security" (OpSec) issues are important, we will not be rewarding for these types of submissions. OpSec issues include leaked employee passwords, leaked business documents, etc. These submissions will only receive reputation points and/or swag.
To be eligible for the program, you must not:
Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
Be employed by Amazon, Wickr, Inc. or any subsidiaries of Amazon.
Be an immediate family member of a person employed by Amazon, Wickr, Inc. or any subsidiaries of Amazon.
Wickr believes that security research performed in good-faith should be provided safe-harbor. We have adopted Disclose.io’s Core Terms, subject to the conditions defined within this program policy, and we look forward to working with security researchers who share our passion for protecting our customers.
Wickr commits to timely remediation of your findings, and prompt response to relevant questions.
| Scope Type | Scope Name |
|---|---|
| android_application | Wickr Pro Android |
| android_application | Wickr Me Android |
| ios_application | Wickr Pro iOS |
| ios_application | Wickr Me iOS |
| other | Wickr Pro/Wickr Me (all related technical components) (up to) |
| other | Wickr Pro Linux |
| other | Wickr Me Linux |
| other | Wickr Me OS X |
| other | Wickr Pro OS X |
| other | Wickr Pro Windows |
| other | Wickr Me Windows |
| web_application | admin.wickr.com |
| web_application | www.wickr.com |
| Scope Type | Scope Name |
|---|---|
| web_application | support.wickr.com |
This policy crawled by Onyphe on the 2021-11-30 is sorted as bounty.
FireBounty © 2015-2024
