ClickMeeting Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

Always provide details of the security issue including all information needed to reproduce and validate the vulnerability and also you should provide a Proof of Concept (POC).

If you check the security of our service, you can not bring negative results or any other problems with data security, data disclosure or providing our service.

You can not modify, obtain, disclose, delete or share information that does not belong to you.
After reporting security issue, give us a reasonable time to fix the problem before you making any information public.

In particular, we ask you to refrain from testing resistance to any type of denial of service attacks, social engineering attacks, any other brute force attacks and others non-qualifying issues.

Testing Requirements:

QUALIFYING ISSUES
We qualify reporting issues regarding OWASP Top 10, in particular for one of the categories:
- Injection
- Broken authentication
- Sensitive data exposure
- XML external entities (XXE)
- Broken access control
- Security misconfiguration
- Cross-site scripting (XSS)
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring

NON QUALIFYING ISSUES
We do not qualify reporting issues, in generally, regarding for one of the categories:
- Physical or Social Engineering
- Phishing Attack
- Mixed-content scripts
- Insecure cookies
- Vulnerabilities that require a potential victim to install non-standard software
- Service banner disclosure
- Vulnerabilities affecting users of outdated or unsupported browsers or platforms
- Self-XSS which cannot be used to exploit other users
- Reports from automated tools or scans
- Denial of Service Attacks
- Host Header Injection
- Reflected File Download (RFD)
- Username Enumeration
- Content injection issues
- Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
- Missing autocomplete attributes
- Missing cookie flags
- Issues which require physical access to a victim’s computer
- Missing security headers which do not present an immediate security vulnerability
- SSL/TLS scan reports
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
- Open Redirect Vulnerabilities
- Publicly accessible login panels
- Recently disclosed 0-day Vulnerabilities
- Email/SMS flooding attacks
- Issues related to software or protocols not under our control
- Clickjacking and the issues exploited only by clickjacking
and others Vulnerabilities out of scope OWASP Top 10.

Possible Awards:

You will always get our gratitude. At present we do not offer any other awards.