Wildix Bug Bounty Program
'This document provides information about Wildix Bug Bounty Program, including scope, eligibility, exclusions and rewards.
Created: May 2023
Updated: August 2024
Permalink: https://wildix.atlassian.net/wiki/x/AQAoCw
Important: Please note that the email for sending vulnerability reports has changed to bugbounty@wildix.com.
Objective
This program aims to encourage security researchers and ethical hackers to identify and report potential security vulnerabilities in our systems or applications. This will help us to improve the security of our products and services, and protect our customers' data.
Eligibility
The program is open to everyone, regardless of age or nationality. However, employees of our company and their immediate family members are not eligible to participate.
Only reports that meet the following requirements are eligible to receive a monetary reward:
- You must be the first reporter of the vulnerability
- The vulnerability must demonstrate security impact on a site or application in scope (see below)
- You must not have publicly disclosed the vulnerability before the report was closed
- We are not legally prohibited from rewarding you
Scope
The program's scope includes all publicly available web applications, native applications, mobile applications, and APIs owned by our company. The scope excludes client PBXes, physical security, social engineering, and any third-party applications or services that integrate with our products.
In scope:
Exclusions
- Non production environments: *-dev.wildix.com, *-stage.wildix.com
- Third party SaaS products with CNAME to *.wildix.com
- Accessible non-sensitive files and directories (e.g., README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc.)
- Missing flags on cookies
- Missing HTTP security headers
- Clickjacking and issues only exploitable through clickjacking
- Missing SPF, DKIM, DMARC, and CAA records in the DNS zone
- Disabled DNSSEC
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact
- Descriptive error messages and patch disclosure with no security impact
- Rate limiting or brute force issues
- Software version disclosure
- Outdated software
Please refrain from:
- Overusing automated tools
- DDoS/ DoS attacks
- Spamming/ Phishing attacks
- Reporting known-vulnerable components without proof of exploitation
- General low-severity issues reported by automated scanners
Rewards
Rewards will be given based on the severity and impact of the reported vulnerability. We will follow the OWASP Risk Rating to determine the severity of the vulnerability. The minimum reward for a valid vulnerability report is $50 USD, and the maximum reward is $5,000 USD.
The highest reward may be obtained for the findings like RCE, Authentication bypass, Vertical Privilege Escalation, and SQLi.
Bug Bounty reward can be paid to PayPal account only.
Reporting
All vulnerability reports should be submitted to bugbounty@wildix.com and contain the description and steps to reproduce or PoC. Reports submitted through other channels (such as email or social media) will not be eligible for rewards.
Guidelines
- Do not perform any destructive or disruptive actions, such as deleting or modifying data or disrupting our services.
- Do not share any confidential information obtained during the testing.
- Do not publicly disclose any vulnerabilities before we have had sufficient time to investigate and fix them.
- Follow the laws and regulations of your country and ours.
Conclusion
We appreciate your efforts in helping us to improve the security of our products and services. We reserve the right to modify or cancel the program at any time.