We are offering a place in our Hall of Fame on an ongoing basis for those penetration testers, who’ll find valid vulnerabilities, subject to the rules and terms of participation. If you discovered a vulnerability in Pushwoosh application, services or infrastructure, please don’t share it publicly. Send any problems to us via Contact Us __form on our website. We’ll ping you back as soon as we can with a confirmation and endless kudos.

We 're trying to respond as fast as we can, but It may take us up to 14 days to process a new report.

Sending a bug report

Only original, previously unreported bugs will be taken into account. Please submit one issue per ticket.

What should be included in your report:

• Thoroughly described ways to reproduce the particular bug
• How this vulnerability can be exploit/potentially exploit

Would be highly appreciated:

• Screenshot or video with an exploit demonstration

API Information and Documentation

Pushwoosh Docs __

Creating the Account

You must use the pentester_anyCharacters@any.domain email alias when signing up for pushwoosh.com __accounts that will be used to participate in this bounty.
Accounts not following this rules will be suspended without warning.

Targets

The target host for this bounty is:

• go.pushwoosh.com

The following will not qualify for the program:

pushwoosh.com and docs.pushwoosh.com and community.pushwoosh.com are specifically excluded from this bounty.

The following will not qualify for the bounty program:

• Any kind of brute force
• Disclosure of known public files or directories, (e.g. robots.txt)
• DDOS
• Password policy
• Any CSRF
• Open redirect
• Missing secure cookie flag
• DNSSEC not configured
• Missing SPF DNS record __
• Any CSV Macro Injection __
• Clickjacking
• Any kind of HTML injection on Rich Media
• Missing HTTP security headers __
• Reports from security scanners and other automatic systems
• Vulnerability reports based solely on the software version / protocol
• Issues with zendesk widgets and intercom widgets

Pushwoosh Responsible Disclosure Policy

In the best interest of our customers and Internet users worldwide, we ask that you follow the guidelines of responsible disclosure:

• Do not publicly disclose part or all of the vulnerability until we have had a chance to investigate and address it.
• Do allow us a reasonable timeframe of 90 days to respond back to you and address the vulnerability before making any information public.

Our Thanks to You

Pushwoosh greatly appreciates the efforts of those security researchers who identify vulnerabilities and work with us to ensure that we can develop a fix and issue it to all our users. We thank you for going out of your way to help us minimize the risk to our users as well as help us in our vision to improve the overall security of our products.