Envizage is proactively enhancing our security to identify new threats and ensure the security and safety of our customers, partners, suppliers, employees and the organization overall. Our rewards are based on the severity of a vulnerability. Please note, however, that reward decisions are up to the discretion of Envizage. Issues may receive a lower severity due to the presence of compensating controls and context.
Program Rules:
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be accepted. In order to help us triage and prioritize submissions, Envizage recommends that vulnerability reports:
- Describe the vulnerability,where it was discovered,and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
Any information you receive or collect about Envizage, Envizage’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. Please note, not all requests for public disclosure can be approved. By making a Submission, you give us the right to use your Submission for any purpose.
General Rules:
- Provide details of the vulnerability finding, including information needed to reproduce and validate the report
- NEVER attempt to degrade the services
- NEVER impact other users with your testing
- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Envizage services
- Test only In-Scope domains
- Avoid sensitive information from being saved, stored, transferred, or otherwise accessed after initial discovery
- Do not post reports from automated scripts or scanners (without proof of exploitation)
Out-of-Scope Issues:
- Network denial of service (DoS,DDoS) or resource exhaustion tests
- Brute force attacks
- Social engineering (including phishing)
- CSRF on forms that are available to anonymous users (e.g., signup,login, contact, Intercom)
- Self-XSS and issues exploitable only through self-XSS
- Clickjacking
- Functional, UI and UX bugs and spelling mistakes
- HTTP 404 codes/pages or other HTTP error codes/pages
- Disclosure of known public files or directories, (e.g.robots.txt)
- Any other non-technical vulnerability testing
In-scope domains:
- https://api.beta.envizage.me
- https://console.beta.envizage.me
- https://portal.beta.envizage.me
- https://envizage.me
Thank you for helping keep Envizage safe!