At Envoy, we want security to be an integral piece throughout our entire
engineering process - not just a standalone team. As a part of this process,
we welcome the security community to help us protect the privacy and
confidentiality of our company and our customers. And we hope to develop great
relationships with our researchers so we can continue to help make the online
world a safer place.
- Please do NOT send any messages to our support chat or our support email at any time
- Create test account here: https://envoy.com/trial/premium __
- Please include
H1 in your Company Name when registering for a trial so we can identify our researchers from sales prospects.
SLA | Business Days
Time to First Response | 5
Time to Triage | 10
Time to Bounty | 30
Time to Resolution | 90
Time to Resolution is subject to vulnerability severity and complexity. We’ll
try to keep you informed about our progress throughout the process and make
our best effort to resolve vulnerabilities as quickly as our resources allow
Disclosure and Conduct Guidelines
Envoy will deal in good faith with all researchers who find, verify and submit
reproducible vulnerabilities, as long as you follow these few guidelines.
- Follow HackerOne's disclosure guidelines.
- Be the first researcher to submit a complete report.
- Do not disclose or discuss the vulnerability before it’s resolved.
- Do no harm.
- Do not exploit any vulnerability beyond what is necessary to prove that it exists.
- Do not exfiltrate data.
- Do not intentionally compromise the privacy or security of Envoy employees or customers.
- Do not intentionally compromise the intellectual property or other interests of Envoy, Envoy employees or our customers.
Vulnerabilities We're Most Interested In
- SQL Injection (SQLi)
- Session Stealing
- Complete Authentication Bypass
- Access Control Issues
- Stored XSS (XSS)
- Path Traversal
- Server-Side Remote Code Execution (RCE)
- Local File Inclusion (LFI)
- Reflected XSS (Exploitable)
- Cross-Site Request Forgery (CSRF)
- Server-Side Request Forgery (SSRF)
- XML External Entity Attacks (XXE)
What We're NOT Interested In
- DMARC settings not enforced for all email
- Password reset and login pages allows verification of guessed usernames
- Changing email address does not invalidate unused password reset links
- Usernames can include URLs, which will be included in emails and notifications
- Some functionality sends emails, and it may be possible to blast a lot of messages at a single user
Thank you for working with the Envoy security team!
Hall of Fame