/
Wildix Bug Bounty Program

Wildix Bug Bounty Program

Jun 16, 2025

This document provides information about Wildix Bug Bounty Program, including scope, eligibility, exclusions and rewards. 

Created: May 2023

Updated: June 2025

Permalink: https://wildix.atlassian.net/wiki/x/AQAoCw

Important: Please note that the email for sending vulnerability reports has changed to bugbounty@wildix.com


Objective

Wildix is committed to ensuring the security of our products and the privacy of our users. Our Bug Bounty Program invites independent security researchers and ethical hackers to test our systems for vulnerabilities. By responsibly disclosing vulnerabilities to us, researchers can help us protect our customers and business, and earn recognition and rewards in return.

We are particularly interested in real-world, exploitable security flaws that could significantly affect Wildix or its users. This includes vulnerabilities that can lead to unauthorized access, data leakage, injection attacks (such as SQL injection), authentication or authorization bypasses, remote code execution, or other serious impacts. Conversely, issues that are purely theoretical, best-practice concerns, or informational findings with no tangible security impact are generally not eligible for rewards. The sections below outline in detail what is in scope and out of scope for this program.

Eligibility

The program is open to everyone, regardless of age or nationality. However, employees of our company and their immediate family members are not eligible to participate.

Only reports that meet the following requirements are eligible to receive a monetary reward:

  • You must be the first reporter of the vulnerability
  • The vulnerability must demonstrate security impact on a site or application in scope (see below)
  • You must not have publicly disclosed the vulnerability before the report was closed
  • We are not legally prohibited from rewarding you

Scope

In-Scope Assets

The bug bounty program covers Wildix-owned, publicly available applications and services. This includes:

  • Web applications: Any web services or sites under the wildix.com domain

  • Mobile applications: Official Wildix mobile apps for Android and iOS

  • Desktop applications: Wildix native desktop applications and software clients

  • Cloud services and APIs: Wildix cloud platforms and any publicly exposed APIs or services provided by Wildix

If an asset or application is not clearly owned by Wildix or not publicly accessible, it is likely out of scope. When in doubt about whether a system is in scope, please contact us for clarification before proceeding with testing.

Out-of-Scope Assets

The following are explicitly out of scope for testing and are not authorized targets under this policy:

  • Any environment with a domain or subdomain matching *-dev.* or *-stage.* under the wildix.com domain

  • Customer PBX systems: Any client-deployed Wildix PBX instances or customer infrastructure (Only Wildix’s own hosted services are in scope.)

  • Physical security: Offices, data centers, and other physical or internal Wildix infrastructure

  • Social engineering: Any attempt to phish, scam, or socially engineer Wildix employees, partners, or customers

  • Third-party services: Services, applications, or libraries that Wildix uses but does not own (e.g., third-party software, SaaS platforms, content delivery networks)

Any vulnerability found in an out-of-scope asset should not be tested or reported through this program. If such an issue is inadvertently discovered, please notify us immediately and do not exploit it further.

Non-Qualifying Vulnerabilities

To focus efforts on impactful issues, our program excludes reports of purely theoretical or low-impact weaknesses. The following types of issues are generally not eligible for rewards and will typically be closed as informational:

  • Missing best-practice configurations: Issues like missing security headers (e.g., missing X-Frame-Options/CSP or HSTS headers) or the use of deprecated TLS/SSL ciphers, without an accompanying exploitable vulnerability

  • Clickjacking on non-sensitive pages: UI issues such as clickjacking on pages with no sensitive actions or data

  • Information disclosures with no security impact: Disclosure of version numbers, stack traces, or directory listings that do not expose sensitive information

  • Issues in third-party software: Vulnerabilities in third-party libraries or platforms that are not uniquely caused by Wildix’s implementation (unless you can clearly demonstrate an exploitable impact on Wildix)

  • Content spoofing or UI bugs: Visual or text issues (e.g., typos, misconfigured branding) that have no security consequence

  • Lack of rate limiting / Brute-force on non-critical endpoints: Absence of rate limiting or CAPTCHA on login or other pages, unless exploitation leads to a specific compromise (e.g., credential brute-force leading to account takeover)

  • Unauthenticated CSRF on non-critical actions: CSRF vulnerabilities on forms or actions that are available to unauthenticated users or have minimal impact

  • Email/SPF/DKIM issues: Missing or misconfigured SPF, DKIM, or DMARC DNS records, or lack of DNSSEC

  • Scanner-only findings: Generic “low risk” findings from automated scanners with no proof-of-concept, such as banner disclosures or suggestions to improve configurations

In general, any finding that cannot be exploited to impact confidentiality, integrity, or availability of our systems or data will likely be marked as informational and not eligible for a bounty. If you are unsure whether an issue qualifies, you can still report it and we will evaluate its impact.

Rules of Engagement and Safe Harbor

We require all participants to follow these rules to ensure tests are conducted safely and ethically:

  • Do no harm: Testing must not degrade the performance or reliability of our services. Do not perform destructive activities, such as data deletion, unauthorized data modification, or any form of service disruption (e.g., DoS/DDoS attacks)

  • No unauthorized access to data: Limit your testing to your own accounts or to test accounts. If during research you inadvertently access data that is not yours, stop immediately and report the issue. Do not attempt to view, alter, save, or transmit other users’ data

  • Social engineering prohibited: As noted, social engineering (phishing, pretexting, etc.) of anyone (employees, customers, partners) is not allowed as part of this program

  • No physical attacks: Avoid attempting to gain access to Wildix offices, hardware, or any physical systems

  • Follow the law: Conduct your research within the bounds of all applicable laws. Do not engage in any activity that would be unlawful or violate any agreements (such as those with Wildix customers) in the course of your testing

  • Testing guidance: Refrain from excessive automated scanning that may generate large volumes of traffic. If you use automated tools, fine-tune them to avoid impacting our systems. Always prefer targeted, manual testing for vulnerabilities

  • Confidentiality: Do not disclose or share any details of the vulnerabilities with anyone outside of Wildix, until given explicit permission (see Disclosure Policy section below). Similarly, any data or confidential information encountered during testing must be kept private

By participating in this program, you agree to abide by these rules. Violation of these terms may result in disqualification from the bounty program and potential legal consequences.

Reporting a Vulnerability

If you believe you’ve discovered a security vulnerability in a Wildix product or service, please report it to us privately and promptly as follows:

  • Report via email: Submit your findings to us at bugbounty@wildix.com. This is our official channel for receiving vulnerability reports

  • Submission format: Provide a clear and detailed report with all the information needed for us to understand and reproduce the issue:

    • A descriptive summary of the vulnerability and the potential impact

    • Step-by-step reproduction instructions or a working proof-of-concept (PoC). Include any relevant URLs, parameters, test account credentials, etc., to help us reproduce the issue

    • If applicable, attach screenshots or a short video demonstrating the exploit (optional but helpful)

    • The affected application, URL, or component, and the date/time of discovery

  • One issue per report: Please submit a separate report for each distinct vulnerability you find, unless multiple issues must be chained together to demonstrate an exploit scenario

  • Sensitive data: If your report must include sensitive information (e.g. user data or Wildix confidential info) as evidence, please let us know. We can arrange a secure communication method (such as using encryption) for transmitting such details

Once we receive your report, our security team will review it following the process and timelines outlined below. We kindly ask that you do not discuss or disclose the vulnerability to others until it has been resolved (per our Disclosure Policy).

Response and Reward Guidelines

Response Procedure

Wildix is committed to being responsive to submissions. Here is what you can expect after reporting a vulnerability:

  • Acknowledgment: We will confirm that we have received your report, usually via email. If you do not hear back, feel free to send a polite follow-up to ensure we received it

  • Triage & assessment: Our security team will validate the issue, determine its severity, and verify that it is in scope. We may contact you during this phase for additional information or clarification

  • Resolution: Once a vulnerability is confirmed, Wildix will work to develop and deploy a fix or mitigation. The time to resolution can vary depending on complexity and affected systems, but critical issues are addressed as a priority. We will keep you informed of major updates and may ask you to test or confirm the fix once deployed

  • Reward delivery: After the issue has been fully resolved and validated, we will issue any applicable bounty reward

Reward Amounts

Wildix’s bounty rewards are based on the severity and business impact of the vulnerability. We utilize a risk-based approach (inspired by the OWASP Risk Rating methodology) to categorize issues as Low, Medium, High, or Critical severity. While we do not publish exact payout figures, generally:

  • Critical severity issues (those that could cause extensive harm, such as remote code execution or full authentication bypass) receive the highest rewards (on the order of a substantial bounty)

  • High severity issues (significant vulnerabilities that could compromise sensitive data or user accounts) earn significant rewards (though less than critical issues)

  • Medium severity issues (moderate impact flaws) typically receive a moderate reward

  • Low severity issues (minor security concerns or edge cases) may earn a small reward or, in some cases, simply a thank-you letter if the impact is negligible

Only the first reporter of a given vulnerability is eligible for a reward. Duplicate reports covering the same issue will be closed as such. Additionally, to receive a bounty, you must comply with all program rules and must be eligible to receive funds (for example, we cannot issue rewards to individuals on sanctions lists or in countries where such transactions are prohibited by law).

Wildix reserves the right to adjust reward decisions based on factors such as the quality of the report, the difficulty of discovery, and the criticality of the affected system. Our goal is to be fair and consistent in our evaluations.

Disclosure Policy

No public disclosure without consent: To protect our users and systems, you may not publicly disclose or discuss the vulnerability in any forum or with any third party until we have confirmed a fix and explicitly authorized public disclosure. Prematurely revealing details of an unpatched vulnerability puts users at risk and violates this policy (making the report ineligible for any reward).

Wildix believes in coordinated disclosure. Once a fix is in place, we are open to discussing public disclosure (for example, via a joint advisory or blog post) in collaboration with the researcher. In some cases, we may request that details remain confidential for a longer period (for instance, if the vulnerability affects third-party software that needs time to patch across the ecosystem).

If you have questions about when or how you can safely disclose an issue you reported, please coordinate with our team. We appreciate your patience and commitment to ethical reporting.

Program Updates

This Bug Bounty Policy may be updated from time to time. Wildix reserves the right to modify the terms of this program or terminate it at any time. We will make efforts to inform active participants of any major changes, but it is your responsibility to review this policy periodically for updates.

By participating in the Wildix Bug Bounty Program, you agree to all the terms outlined here. We sincerely thank all security researchers for helping us strengthen the security of our products and protect our users.

Conclusion

We appreciate your efforts in helping us to improve the security of our products and services. We reserve the right to modify or cancel the program at any time.