We appreciate all reports from penetration testers using Poll Everywhere. That said, our focus lies primarily in user data exposure and remote code execution. We're more likely to reward a discovery that can be achieved remotely and could compromise the safety of our users, our users' systems, and user data. We don't consider, for example, bad DKIM/DMARC/SPF settings to be as serious as XSS that affects all users. We believe, like Google, that exploitation modeling is a critical stage in the vulnerability reporting process. Reports that include a detailed attack scenario are significantly more likely to be considered relevant than those without.
Starting on September 14th, 2020, and extending until September 25th, 2020, we are pausing payments on new reports while we work to find a new payment processor. While all high priority reports will be responded to during this time, low priority or out of scope reports will not be processed until September 25th, 2020.
The following domains are considered eligible for rewards if serious vulnerabilities are discovered:
The following categories of reports are specifically excluded from our program:
- CSV macro injection vulnerabilities in third party applications (e.g., Microsoft Excel, LibreOffice).
- Vulnerability reports pertaining to password resets not logging out prior sessions. Customers can contact email@example.com for this service at any time, free of charge.
- Issues related to password policy, including complexity, reuse, length, and other limits.
- Issues related to the subdomain webform.polleverywhere.com.
- Denial of service attacks that result from high volumes of requests, especially when the potential outcomes are theoretical. This includes all rate based request flooding attacks.
- Clickjacking and UI redress attacks without an attack scenario. All clickjacking/iframe/UI redress attacks require proof of some damaging action capable of being taken. Demonstrating the ability to iframe embed content is not sufficient to demonstrate an attack vector.