We run a managed private bug bounty program through HackerOne. However, if you believe you have found a legitimate security vulnerability and wish it to disclose it responsibly, please use the form linked below to submit through HackerOne. It will be triaged by the HackerOne team. Please note that this is not a way for external researchers to apply to the program in general. Being a managed program, it is up to HackerOne's discretion to invite hackers for the program.
Please do not submit bounty reports by email. We are no longer accepting submissions in this way and you will be directed to use the form instead.
Details of our program are still available below. Please fill the form at the bottom after reading through the details and out-of-scope cases. Follow HackerOne's disclosure guidelines.
Program Rules
In no event are you permitted to access, download, modify or delete data residing in any other HappyFox or HappyFox Chat account, other than your own test account.
You are also prohibited from:
- Executing or attempting to execute any Denial of Service attack.
- Accessing any sensitive data from our application / infrastructure in case of any exploit. The exploit should only go as far as to show the presence of an exploit and not use it to wildly fetch sensitive data.
- Knowingly posting, transmitting, uploading, linking to, sending or storing any malicious Software.
- Attempting to social engineer any other user of our service.
- Attempting to contact any of our customers regarding the vulnerability.
- Attempting to register or login to other customers’ accounts
- Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages.
- Testing in a manner that would degrade the performance or operation of the Service.
- Testing third party applications or websites or services that integrate with or link to our Service.
Out-of-Scope Vulnerabilities
The following items are known issues or accepted risks where we will not reward you:
- Cross-Site Scripting (XSS)
- Reports from automated tools or scans
- Brute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.
- Clickjacking.
- Content spoofing.
- Cookie flags.
- Open Redirects.
- Unauthenticated/logout/login CSRF.
- Presence of autocomplete on form fields, including username and password fields
- Missing additional security controls, such as HSTS or CSP headers or any warnings / recommendations related to SSL settings.
- DNSSEC settings
- Password recovery policies or Token retry / expiration or any such recommended best practices, such as reset link expiration or password complexity
- Malicious attachments on file uploads or attachments.
- Reflected File Download
- Excel CSV formula injection
- SPF, DKIM, DMARC issues.
- Outdated libraries / packages used unless there is a demonstrable exploit.
- Ability to send large amount of messages
- Ability to send spam or malware file
- Disclosure of non sensitive information, product / program version
Submission Form: