At UXCam, we prioritize system security and client data protection. While we attempt to maintain the greatest security standards, we are aware that vulnerabilities may still exist. We welcome security researchers to collaborate with us by identifying and reporting potential vulnerabilities in our systems.

If you have found a vulnerability in our system, please share it with us along with a clear proof of concept. This will allow our team to quickly investigate and resolve the issue. We greatly appreciate your responsible disclosure and commitment to improving our security.

Report a vulnerability

Getting Started

Account Setup

Accounts can be self-provisioned for testing at https://app.uxcam.com/signup, and you'll get a free 14-day trial. You can view all available features here: https://uxcam.com/plans.

Then, follow this guide to get started with UXCam: https://help.uxcam.com/hc/en-us/articles/29781684954521-Start-here.

At this time, you can use our React Native example app (source code), which already comes with our SDK integrated to send sessions to your account. However, please note that you’ll need to use your own app key and build the app from source. Note: We will soon release an example app with the SDK integrated, which will allow you to use the app without needing to build it from source.

Testing Guidelines

Production environment: Please be aware that the targets are in production environment, so ensure that all actions are safe, controlled, and do not impact the availability or stability of UXCam’s services for other users.

Name field: Add this string to your name/organization name: BugBounty-

Request header: Please include the following header in all server requests; this allows us to identify researcher testing activity and avoids blocking:

X-User-Id: <email_you_used_for_bugbounty_signup>

Example: X-User-Id: you@example.com

Useful Links

• SDK docs: https://developer.uxcam.com.

• Learn about the various features of UXCam: https://help.uxcam.com/hc/en-us/categories/360002359512-knowledge-base.

• Check Product Updates for recently launched features in the web app.

• Check the SDK changelog at: https://developer.uxcam.com/docs/changelog.

• Data Access API: https://help.uxcam.com/hc/en-us/categories/360003506631-Data-Access-API

In-scope targets

Web applications:

• uxcam.com

• app.uxcam.com / dashboard.uxcam.com - Same service

API:

• api.uxcam.com / pythonapi-prod.uxcam.com / visualization.uxcam.com - Same service

• auth.uxcam.com

• das-api.uxcam.com

• dashboardapi.uxcam.com

• event-tracking.uxcam.com

• integrated-platforms.uxcam.com

• signup-app-details.uxcam.com

• uxcam-dashboard-builder.uxcam.com - GraphQL API

• verify.uxcam.com

• websdk.uxcam.com

• websdk-recording.uxcam.com

Mobile/Web SDKs:

• Latest version of our SDKs

• Public SDK repos in our GitHub organization (github.com/uxcam)

Out-of-scope targets

• sdk.uxcam.com - This is an intentionally public S3 bucket which is needed for our SDK integration.

These targets are backed by third-party services. Only bugs that are the result of a misconfiguration on UXCam's part are in scope:

• bug-bounty.uxcam.com

• developer.uxcam.com

• help.uxcam.com

• info.uxcam.com

• referrals.uxcam.com

• resources.uxcam.com

• status.uxcam.com

Focus Areas

• Remote Code Execution (RCE)

• Injection vulnerabilities

• Authentication Bypass

• Access Control Issues (IDOR, Privilege Escalation, etc.)

• Business Logic Flaws

• Cross-Site Scripting (XSS)

• Server-Side Request Forgery (SSRF)

• Leakage of Sensitive Information

• File Inclusion vulnerabilities

• Other vulnerabilities with a clear impact

Submission Guidelines

To help us understand your report and assess the impact on our organization, please ensure the following:

• Submit only one vulnerability per report. Even if the same vulnerability affects multiple targets, submit only one report for each unique issue.

• Only the first submission of a given vulnerability will be eligible for a reward; duplicate reports will not be rewarded.

• Submissions must be made exclusively through the bug bounty reporting portal to be considered for a reward.

• Submissions may be closed if a researcher is non-responsive to requests for information after 14 days.

In your report:

• Provide a clear and concise summary of the vulnerability.

• Use Bugcrowd's Vulnerability Rating Taxonomy for the full vulnerability category; copy it in this format: VRT category > Specific vulnerability name > Variant / Affected function. Example: Server-Side Injection > File Inclusion > Local

• Include a detailed list of steps to reproduce the vulnerability, explain its impact, and provide screenshots or a video recording as proof of concept (PoC).

Exclusions

Any submissions where the impact is not clearly demonstrated and the attack cannot be clearly demonstrated do not qualify for rewards.

• Targets listed under Out-of-scope section.

• All P5 vulnerabilities corresponding to Bugcrowd's VRT.

• Any findings related to data breaches which are within the public domain.

Other excluded vulnerabilities:

• Banner disclosures on common/public services.

• Missing best practices (e.g. Content Security Policy, Anti-MIME-Sniffing headers).

• TLS/SSL-related concerns (e.g. forward secrecy, insecure cipher suites) without proof of exploitability.

• OPTIONS / TRACE HTTP methods enabled.

• Email spoofing due to misconfigured SPF/DKIM/DMARC records.

• Spam-related reports (SMS, email, etc.).

• Username/email enumeration via Login/Forgot Password page error messages.

• Lack of rate limiting or brute force issues.

• Weak CAPTCHA / CAPTCHA bypass issues.

• Logout Cross-Site Request Forgery (logout CSRF).

• Clickjacking/tapjacking without significant security impact.

• Missing HTTP security headers.

• CSRF on non-sensitive forms accessible to anonymous users (e.g. the demo request form).

• Known vulnerabilities in libraries or out-of-date software without known exploits.

• Vulnerabilities limited to unsupported browsers.

• Reports directly from automated tools or scans without a manual PoC.

• Denial of Service (DoS/DDoS) attacks.

• Files without sensitive information.

• Cross-Site Request Forgery (CSRF).

Rules for you

• Do not attempt to access or modify another user’s data or account. For any cross-account testing, use only your own test accounts.

• Avoid actions that may impact service integrity, availability, or confidentiality. Prohibited actions include DDoS, spam, or other disruptive testing.

• Testing must not affect real users or lead to unauthorized data changes or service interruptions.

• Test only on targets explicitly listed in the program scope, and ensure you are interacting only with assets owned and operated by UXCam.

• Automated tools may be used if rate-limited to a maximum of 5 requests per second; excessive traffic may result in IP or account bans.

• Do not attempt any social engineering attacks, including phishing or pretexting against UXCam employees or users. Testing should focus solely on technical vulnerabilities.

• If you accidentally access or believe that you have accessed sensitive data of customers, employees, or of UXCam, stop testing immediately, securely delete the data, and report it promptly to us.

• Do not share, disclose, or discuss any vulnerabilities outside of UXCam’s security team or the program’s submission process.

• If in doubt, do not hesitate to email us and we are happy to clarify the conditions for you.

Rules for us

• Allow us to respond to you within 5-10 business days with our evaluation of your report and the expected resolution date.

• We will update you as we fix the bug you submitted.

• We will not take any legal action against you if you play by the rules.

For the bug bounty eligibility and the reward value, the final decision will be from our end. This bug bounty program exists entirely at our discretion, which can be canceled or modified at any time. Any modification we make to these program’s terms does not apply retroactively. Thanks for helping us make UXCam more secure.

Rewards

This program uses Bugcrowd's Vulnerability Rating Taxonomy as a baseline for the initial prioritization and rating of findings. However, the priority of a vulnerability may be adjusted based on its likelihood or impact.

We offer rewards for vulnerabilities that require a code or configuration change to address. Rewards are determined based on the severity of the vulnerability and the completeness of the submitted report, at our sole discretion.

Hall of Fame

To be eligible for the Hall of Fame, researchers must submit report for valid and impactful vulnerabilities. Duplicate submissions for P3/P4 severity as well as P5 submissions are not considered for the Hall of Fame. Inclusion in the Hall of Fame is determined at our discretion, and researchers must consent to being listed.

Bounty

• P1 (Critical): $650 – $1000

• P2 (High): $300 – $650

• P3 (Medium): $150 – $300

• P4 (Low): $50 – $150

Bounty payment details

• We aim to process payments as soon as we receive the researcher’s payment details.

• Payments are made via PayPal (preferred). Bank transfers are available as an alternative.

• At this time, only monetary rewards are offered; we do not provide swags or pay in cryptocurrency.

• Researchers are responsible for complying with tax regulations in their local jurisdiction.