Last updated: 2024-05-21
At UXCam, the security of our systems and our customers’ data is the top priority. No matter how hard we try to keep systems security in place, there can still be vulnerabilities.
If you have found a vulnerability in our system, we would like to request you to kindly brief the findings with a detailed proof of concept so we can take steps to address it as quickly as possible.
Submit your report via our Vulnerability Disclosure Portal.
To be able to understand your reporting and the type of impact to our organization, please make sure that your report contains the following reporting structure:
Submit only one issue per report.
What is the security issue? Summarize it.
Exploit functioning: a detailed step list for reproducing the vulnerability, impact, including screenshots or a video recording as proof of concept and CVSSv3 score.
uxcam.com
app.uxcam.com
dashboard.uxcam.com
auth.uxcam.com
das-api.uxcam.com
dashboardapi.uxcam.com
integrated-platforms.uxcam.com
api.uxcam.com
pythonapi-prod.uxcam.com
visualization.uxcam.com
uxcam-dashboard-builder.uxcam.com
websdk.uxcam.com
Remote code execution (RCE)
Injection vulnerabilities
File inclusions
Access Control Issues (IDOR, Privilege Escalation, etc)
Leakage of sensitive information
Server-Side Request Forgery (SSRF)
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Other vulnerability with a clear impact
Certificates/TLS/SSL-related issues;
DNS issues (i.e. MX records, SPF records, DMARC records etc.);
Server configuration issues (i.e., open ports, TLS, etc.)
User account enumeration
Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
Descriptive error messages (e.g. Stack Traces, application or server errors)
Login & Logout CSRF
Username/email enumeration via Login/Forgot Password Page error messages
Host header issues without proof-of-concept demonstrating the vulnerability
Spam (SMS, email, etc)
Denial of service (DoS/DDoS)
Theoretical issues
Files without sensitive information
Missing HTTP security headers
Do not try to attempt or gain access to another user's account or data. For cross-account testing, use your own test accounts.
Do not perform any attack that could harm the integrity of our organization’s service and data. DDoS (Distributed Denial of Service) or spam attacks are not allowed.
Test only for vulnerabilities on sites you know that are operated by UXCam.
Your testing should not impact other users, this includes testing for vulnerabilities in accounts you do not own.
Do not use scanners or automated tools to find vulnerabilities, these tools are noisy and we may ban your IP address.
Attacks like social engineering and phishing against our employees and users are not accepted.
Do not disclose the bug to the public.
If in doubt, do not hesitate to email us and we are happy to clarify the conditions for you.
Allow us to respond to you within 5 business days with our evaluation of your report and the expected resolution date.
We will update you as we fix the bug you submitted.
We will not take any legal action against you if you play by the rules.
For the bug bounty eligibility and the reward value, the final decision will be from our end. This bug bounty program exists entirely at our discretion, which can be canceled or modified at any time. Any modification we make to these program’s terms does not apply retroactively. Thanks for helping us make UXCam more secure.
The submission of the vulnerability will be based on its severity and full completeness of the report, we will decide and offer the following rewards at our sole discretion. We will also mention the reporter's name on our hall of fame page.