At Envoy, we want security to be an integral piece throughout our entire engineering process - not just a standalone team. As a part of this process, we welcome the security community to help us protect the privacy and confidentiality of our company and our customers. And we hope to develop great relationships with our researchers so we can continue to help make the online world a safer place.

Testing Instructions

• Please do NOT send any messages to our support chat or our support email at any time
• Create test account here: https://envoy.com/trial/premium __
• Please include hackerone or H1 in your Company Name when registering for a trial so we can identify our researchers from sales prospects.

Response Time

Time to Resolution is subject to vulnerability severity and complexity. We’ll try to keep you informed about our progress throughout the process and make our best effort to resolve vulnerabilities as quickly as our resources allow us.

Disclosure and Conduct Guidelines

Envoy will deal in good faith with all researchers who find, verify and submit reproducible vulnerabilities, as long as you follow these few guidelines.

• Follow HackerOne's disclosure guidelines.
• Be the first researcher to submit a complete report.
• Do not disclose or discuss the vulnerability before it’s resolved.
• Do no harm.
• Do not exploit any vulnerability beyond what is necessary to prove that it exists.
• Do not exfiltrate data.
• Do not intentionally compromise the privacy or security of Envoy employees or customers.
• Do not intentionally compromise the intellectual property or other interests of Envoy, Envoy employees or our customers.

Vulnerabilities We're Most Interested In

Critical

• SQL Injection (SQLi)
• Session Stealing
• Complete Authentication Bypass
• Access Control Issues

High

• Stored XSS (XSS)
• Path Traversal
• Server-Side Remote Code Execution (RCE)

Medium

• Local File Inclusion (LFI)
• Reflected XSS (Exploitable)
• Cross-Site Request Forgery (CSRF)
• Server-Side Request Forgery (SSRF)
• XML External Entity Attacks (XXE)

What We're NOT Interested In

Known Issues:

• DMARC settings not enforced for all email
• Password reset and login pages allows verification of guessed usernames
• Changing email address does not invalidate unused password reset links
• Usernames can include URLs, which will be included in emails and notifications
• Some functionality sends emails, and it may be possible to blast a lot of messages at a single user

Thank you for working with the Envoy security team!