Bug Bounty Program
If you discover a security vulnerability, we would love to hear about it.
By reporting security issues you are helping keep our platform safe & secure
Reporting security issues
- Email us at email@example.com
- Please allow several business days for us to acknowledge.
- We will keep you in the loop as we replicate and resolve reported issues.
- We are NOT accepting any XSS reports that require a logged in user to add the XSS vulnerability. ONLY XSS reports that are public facing and can be done without being authenticated.
- We are currently NOT accepting reports of X-FRAME, CSRF, Click Jacking, or token related security issues. These have been well documented internally and plans are in place already.
- We are currently NOT accepting reports of cookie theft / session hijacking related security issues. These have been well documented internally and plans are in place already.
- We are only looking for issues with our marketing platform. We are not looking for any items that involve third party integrations, our general sales, site, etc.
- Provide detailed steps to reproduce the vulnerability.
- Let us know if you would like to be listed on our “thanks” page.
- Avoid anything that could cause service disruptions.
- Avoid any unauthorized data access. Test on your account only.
- Understand that we do not offer any cash bounties at this time.
- We receive duplicate reports of issues often. In such cases we will only list the original reporter and not all reporters on our "Thanks" list
- Do NOT run any automated testing tools against our web site or our application.
The following researchers have helped keep ActiveCampaign safe and secure with
responsible vulnerability disclosures: