We appreciate all reports from penetration testers using Poll Everywhere. That said, our focus lies primarily in user data exposure and remote code execution. We're more likely to reward a discovery that can be achieved remotely and could compromise the safety of our users, our users' systems, and user data. We don't consider, for example, bad DKIM/DMARC/SPF settings to be as serious as XSS that affects all users.
The following domains are considered eligible for rewards if serious vulnerabilities are discovered:
The following categories of reports are specifically excluded from our program:
- CSV macro injection vulnerabilities in third party applications (e.g., Microsoft Excel, LibreOffice).