Bug bounty JivoChat:
make money on our mistakes
Tell us about our vulnerabilities in exchange for gratitude and reward
About program
Sometimes we make mistakes too
So we encourage you to report our bugs. Send an email to bugbounty@jivochat.com and specify:
1. description of the vulnerability
2. steps to exploit vulnerability
3. name and your profile link for public thanks (if you like)
1. description of the vulnerability
2. steps to exploit vulnerability
3. name and your profile link for public thanks (if you like)
Reward up to $300
We will test the bug and respond to you within 14 business days. Depending on the severity of the vulnerability, you will receive a reward of between $30 and $300
Where to look
Our main applications:
— app.jivosite.com, app3.jivosite.com — web version of the agent’s application and registration
— desktop and mobile apps from the page https://www.jivo.ru/apps
— code.jivosite.com — the chat window on the website
This is not a complete list, we will consider any requests related to our applications and domains *.jivosite.com *.jivochat.com *.jivochat.com.br and others.
What to look for
Critical vulnerabilities
Getting access to correspondence, the list of clients of other accounts, call records, transferred files
Ability to change the settings of other accounts or delete data in other accounts
Getting any access to files on the agent’s device via JivoChat applications
Obtaining confidential information about the account agents (email, phone, IP address) without an account in this account (deanonymization of the agents)
Getting access to internal JivoChat systems (they are located on * domains.jivosite.com)
Access to JivoChat servers, databases, or database backups
The average criticality
Increase of privileges within a single account (agents-administrator)
Vulnerabilities that require the user to be convinced to perform certain actions in the application or on third-party sites
Vulnerabilities that we are not interested in
Lack of protection or non-compliance with the recommendations (security best practices) without a specific exploitation scenario
Messages from security scanners
Vulnerability reports based on product/protocol versions without showing the vulnerability
Overflow of inbox agents with spam messages or calls
Getting access to your account data, provided that you have physical access to the unlocked device of the agent
Getting the agent’s known public data (avatar and name on the site)
Getting access to premium features without a license
User account email enumeration via Brute-force. Getting the list of user emails without Brute-force is in scope.
Authorization bypass that allows an agent without admin privileges to assign clients or access client chats, statistics, etc. within the same account. Unauthorized access to team chats in the same account is in scope.
Terms and
conditions
conditions
Only vulnerabilities in JivoChat applications, chat window, and partner account are considered. We will not consider the vulnerabilities and bugs on the sites that have established themselves on our live chat. Moreover, we do not recommend looking for vulnerabilities on these sites, except when they invite you to do so.
Vulnerabilities in CMS plugins and other third-party systems will only be considered if they belong to JivoChat.
We do not consider DoS (Denial of Service) vulnerabilities and ask you not to use load testing tools on our servers.
A reward for a vulnerability can only be paid to the first person to report it. What you need to include in the report is written above.
The reward is proportional to the criticality of the vulnerability (more details about what we consider critical are given above).
During the research, we ask you to use your test accounts and not to take actions that may harm other users or violate their privacy.
It will take us up to 14 business days to analyze the message.
We can only pay rewards through PayPal. Also, we may grant you a generous license to use JivoChat.
We reserve the right to refuse payment of remuneration at our discretion, as well as to modify the terms of the program or cancel it without notice.
Disclosure of vulnerabilities elsewhere than security@jivosite.com is a breach of the terms of the program. In such cases, we do not pay any rewards.