Blue UXCam logo

UXCam Bug Bounty Program

Check out our hall of fame!

Overview

    Last updated: 2024-05-21

    At UXCam, the security of our systems and our customers’ data is the top priority. No matter how hard we try to keep systems security in place, there can still be vulnerabilities.

    If you have found a vulnerability in our system, we would like to request you to kindly brief the findings with a detailed proof of concept so we can take steps to address it as quickly as possible.

    Submit your report via our Vulnerability Disclosure Portal.

    Reporting structure

    To be able to understand your reporting and the type of impact to our organization, please make sure that your report contains the following reporting structure:

    • Submit only one issue per report.

    • What is the security issue? Summarize it.

    • Exploit functioning: a detailed step list for reproducing the vulnerability, impact, including screenshots or a video recording as proof of concept and CVSSv3 score.

    Domains in scope

    • uxcam.com

    • app.uxcam.com

    • dashboard.uxcam.com

    • auth.uxcam.com

    • das-api.uxcam.com

    • dashboardapi.uxcam.com

    • integrated-platforms.uxcam.com

    • api.uxcam.com

    • pythonapi-prod.uxcam.com

    • visualization.uxcam.com

    • uxcam-dashboard-builder.uxcam.com

    • websdk.uxcam.com

    In-scope vulnerabilities

    • Remote code execution (RCE)

    • Injection vulnerabilities

    • File inclusions

    • Access Control Issues (IDOR, Privilege Escalation, etc)

    • Leakage of sensitive information

    • Server-Side Request Forgery (SSRF)

    • Cross-Site Request Forgery (CSRF)

    • Cross-Site Scripting (XSS)

    • Other vulnerability with a clear impact

    Out-of-scope vulnerabilities

    • Certificates/TLS/SSL-related issues;

    • DNS issues (i.e. MX records, SPF records, DMARC records etc.);

    • Server configuration issues (i.e., open ports, TLS, etc.)

    • User account enumeration

    • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking

    • Descriptive error messages (e.g. Stack Traces, application or server errors)

    • Login & Logout CSRF

    • Username/email enumeration via Login/Forgot Password Page error messages

    • Host header issues without proof-of-concept demonstrating the vulnerability

    • Spam (SMS, email, etc)

    • Denial of service (DoS/DDoS)

    • Theoretical issues

    • Files without sensitive information

    • Missing HTTP security headers

    Rules for you

    • Do not try to attempt or gain access to another user's account or data. For cross-account testing, use your own test accounts.

    • Do not perform any attack that could harm the integrity of our organization’s service and data. DDoS (Distributed Denial of Service) or spam attacks are not allowed.

    • Test only for vulnerabilities on sites you know that are operated by UXCam.

    • Your testing should not impact other users, this includes testing for vulnerabilities in accounts you do not own.

    • Do not use scanners or automated tools to find vulnerabilities, these tools are noisy and we may ban your IP address.

    • Attacks like social engineering and phishing against our employees and users are not accepted.

    • Do not disclose the bug to the public.

    • If in doubt, do not hesitate to email us and we are happy to clarify the conditions for you.

    Rules for us

    • Allow us to respond to you within 5 business days with our evaluation of your report and the expected resolution date.

    • We will update you as we fix the bug you submitted.

    • We will not take any legal action against you if you play by the rules.

    For the bug bounty eligibility and the reward value, the final decision will be from our end. This bug bounty program exists entirely at our discretion, which can be canceled or modified at any time. Any modification we make to these program’s terms does not apply retroactively. Thanks for helping us make UXCam more secure.

    Rewards

    The submission of the vulnerability will be based on its severity and full completeness of the report, we will decide and offer the following rewards at our sole discretion. We will also mention the reporter's name on our hall of fame page.

    • Minimum reward

      $50

    • Maximum reward

      $1000

    UXCam logo

    Products

    Compliance

      Logo SOC2

      UXCam has successfully completed a SOC 2 Type 2 examination by Johanson Group.

    CONNECT WITH US:

    © 2024 UXCam. All rights reserved.

    Privacy policy.

    Terms of service.