We appreciate all reports from penetration testers using Poll Everywhere. That said, our focus lies primarily in user data exposure and remote code execution. We're more likely to reward a discovery that can be achieved remotely and could compromise the safety of our users, our users' systems, and user data. We don't consider, for example, bad DKIM/DMARC/SPF settings to be as serious as XSS that affects all users. We believe, like Google, that exploitation modeling is a critical stage in the vulnerability reporting process. Reports that include a detailed attack scenario are significantly more likely to be considered relevant than those without.
The following domains are considered eligible for rewards if serious vulnerabilities are discovered:
The following categories of reports are specifically excluded from our program:
- CSV macro injection vulnerabilities in third party applications (e.g., Microsoft Excel, LibreOffice).
- Vulnerability reports pertaining to password resets not logging out prior sessions. Customers can contact email@example.com for this service at any time, free of charge.
- Issues related to password policy, including complexity, reuse, length, and other limits.
- Issues related to the subdomain webform.polleverywhere.com.
- Denial of service attacks that result from high volumes of requests, especially when the potential outcomes are theoretical. This includes all rate based request flooding attacks.
- Clickjacking and UI redress attacks without an attack scenario. All clickjacking/iframe/UI redress attacks require proof of some damaging action capable of being taken. Demonstrating the ability to iframe embed content is not sufficient to demonstrate an attack vector.