UserTesting Vulnerability Disclosure Policy

UserTesting is committed to providing a secure platform for our customers and contributors. We encourage anyone who sees a security issue to report it here.

Note: This program does not offer rewards. UserTesting also works with professional security researchers through a private, invite-only bug bounty program.

Program Rules

• Only pre-login-screen pages are in scope of this program. Do not create any accounts for the purpose of security testing.

• Do not access, leak, manipulate, or destroy any user data.

• Avoid privacy violations, destruction of data, and interruption or degradation of our service.

Response Targets

UserTesting will make a best effort to respond within 2 business days to your reports.

Responsible Disclosure

• Report potential security issues as soon as possible, and we'll make every effort to resolve it appropriately.

• Please provide us a reasonable amount of time to resolve the issue before making any external disclosure.

• Follow [HackerOne's disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).

In-scope Vulnerabilities

• Cross-site scripting (XSS)

• SQL Injection (SQLi)

• Missing/Broken Authentication

• Remote Code Execution

• Privilege Escalation

• Sensitive Data Exposure

• XML External Entities

• Broken Access Control

• Security Misconfiguration

• Insecure Deserialization

• Usage of Components with Known Vulnerabilities

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Out-of-scope Vulnerabilities

• Open redirects

• Vulnerabilities related to customers manipulating testers through the testing process

While researching, please refrain from the following actions:

• Outputs of automated scanning

• Denial of service

• Rate limit testing

• Spamming

• Social engineering (including phishing) of UserTesting staff or contractors

• Standard user enumeration attacks

• Reports solely indicating a lack of a possible security defense, such as certificate pinning or two-factor authentication.

• Any physical attempts against UserTesting property or data centers

Thanks

We believe in recognizing the good work of others. If your efforts help us improve the security of our service, we're happy to acknowledge your contribution. Thank you for helping keep UserTesting safe!

UserTesting's HackerOne program is currently in invite-only mode. We look forward to working with you in the future.