Bug Bounty

No technology is perfect, and PushPushGo believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Program Status: SUSPENDED

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Interact only with accounts of your own or with explicit permission of the account holder.

Reporters accounts

Researchers can sign up for a trial with mail suffix +bugbounty ex. person+bugbounty@domain.com

SLA

PushPushGo will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submission) - 3 business days
  • Time to triage (from first response) - 3 business days
  • Time for resolution - depending on severity and complexity

Exclusions

While researching, we'd like to ask you to refrain from:

  • (Distributed) Denial of service
  • Weak password policy
  • Spamming
  • Cookie flags
  • Social engineering (including phishing) of PushPushGo staff or contractors
  • Any physical attempts against PushPushGo property or data centers
  • Brute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.
  • XSS (or a behavior) where you can only attack yourself (e.g. "Self XSS").
  • XSS on pages where admins are intentionally given full HTML editing capabilities, such as custom theme editing

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep PushPushGo and our users safe!

How to report issue?

Please send issue with description and steps to reproduce to mateusz@pushpushgo.com

How to receive reward?

Please prepare recipt / invoice on our company data and amount that we agreed on.

Company data:

PushPushGo sp. z o.o.
VAT-UE: PL675-160-1766

Al. 29 Listopada 155c
31-406 Cracow
Poland

All of above data should be visible on invoice / recipt.

Przetestuj web push na swojej stronie

Testuję za darmo

Darmowa wersja zawiera wszystkie funkcjonalności systemu

Fundusze Europejskie