We appreciate all reports from penetration testers using Poll Everywhere. That said, our focus lies primarily in user data exposure and remote code execution. We're more likely to reward a discovery that can be achieved remotely and could compromise the safety of our users, our users' systems, and user data. We don't consider, for example, bad DKIM/DMARC/SPF settings to be as serious as XSS that affects all users. We believe, like Google, that exploitation modeling is a critical stage in the vulnerability reporting process. Reports that include a detailed attack scenario are significantly more likely to be considered relevant than those without.
The following domains are considered eligible for rewards if serious vulnerabilities are discovered:
The following categories of reports are specifically excluded from our program:
- CSV macro injection vulnerabilities in third party applications (e.g., Microsoft Excel, LibreOffice).
- Vulnerability reports pertaining to password resets not logging out prior sessions. Customers can contact firstname.lastname@example.org for this service at any time, free of charge.
- Issues related to password policy, including complexity, reuse, length, and other limits.