Security response and reporting program

Help find and fix problems in Poll Everywhere

Program overview

While we make every effort to make sure our platform is as robust as possible, we know systems can behave in very unexpected ways in the real world. If you find a vulnerability in Poll Everywhere or its related presentation applications, let us know through our PGP key and email. If you find a critical flaw, we may offer a sizeable reward for serious discoveries.

Vulnerability scope

We appreciate all reports from penetration testers using Poll Everywhere. That said, our focus lies primarily in user data exposure and remote code execution. We're more likely to reward a discovery that can be achieved remotely and could compromise the safety of our users, our users' systems, and user data. We don't consider, for example, bad DKIM/DMARC/SPF settings to be as serious as XSS that affects all users.

The following domains are considered eligible for rewards if serious vulnerabilities are discovered:

  • polleverywhere.com
  • pollev.com

The following categories of reports are specifically excluded from our program:

  • CSV macro injection vulnerabilities in third party applications (e.g., Microsoft Excel, LibreOffice).

Guidelines

  • Only perform tests on accounts you directly control.
  • Stay away from automated vulnerability scanners, port scanners, and testing tools. They're noisy and won't reveal anything.
  • Avoid accessing real user data. If you've discovered a flaw that threatens to access real user data, steer towards accounts you control.
  • Never store any real user data you discover. We know vulnerabilities can go in several directions, and sometimes user data exposure is unavoidable – but please make a note, contact us, and move on.
  • Contact us immediately if you discover a vulnerability. Include reproduction steps and sample data on sample accounts. Make sure to list the accounts you were using to test with and any extra accounts touched during your process.
  • Give us a reasonable amount of time to reply to your report before going public. If you go public prior to our fix, any reward you may have earned will be forfeited.
  • In general, act in good faith. We want to fix the problems you discover, not take punitive action.

Contact and timeline

Send any vulnerabilities or suggestions you have to . If your report contains sensitive details, you can encrypt your message with our public key on Keybase. Once we get your message, we'll triage your report and get a fix out the door. We'll keep you in the loop on this process, of course.