Security response and reporting program

Help find and fix problems in Poll Everywhere

Program overview

While we make every effort to make sure our platform is as robust as possible, we know systems can behave in very unexpected ways in the real world. If you find a vulnerability in Poll Everywhere or its related presentation applications, let us know through our PGP key and email. If you find a critical flaw, we may offer a sizable reward for serious discoveries.

Vulnerability scope

We appreciate all reports from penetration testers using Poll Everywhere. That said, our focus lies primarily in user data exposure and remote code execution. We're more likely to reward a discovery that can be achieved remotely and could compromise the safety of our users, our users' systems, and user data. We don't consider, for example, bad DKIM/DMARC/SPF settings to be as serious as XSS that affects all users. We believe, like Google, that exploitation modeling is a critical stage in the vulnerability reporting process. Reports that include a detailed attack scenario are significantly more likely to be considered relevant than those without.

Starting on September 14th, 2020, and extending until September 25th, 2020, we are pausing payments on new reports while we work to find a new payment processor. While all high priority reports will be responded to during this time, low priority or out of scope reports will not be processed until September 25th, 2020.

The following domains are considered eligible for rewards if serious vulnerabilities are discovered:


The following categories of reports are specifically excluded from our program:

  • CSV macro injection vulnerabilities in third party applications (e.g., Microsoft Excel, LibreOffice).
  • Vulnerability reports pertaining to password resets not logging out prior sessions. Customers can contact for this service at any time, free of charge.
  • Issues related to password policy, including complexity, reuse, length, and other limits.
  • Issues related to the subdomain
  • Denial of service attacks that result from high volumes of requests, especially when the potential outcomes are theoretical. This includes all rate based request flooding attacks.
  • Clickjacking and UI redress attacks without an attack scenario. All clickjacking/iframe/UI redress attacks require proof of some damaging action capable of being taken. Demonstrating the ability to iframe embed content is not sufficient to demonstrate an attack vector.


  • Only perform tests on accounts you directly control.
  • Stay away from automated vulnerability scanners, port scanners, and testing tools. They're noisy and won't reveal anything.
  • Avoid accessing real user data. If you've discovered a flaw that threatens to access real user data, steer towards accounts you control.
  • Never store any real user data you discover. We know vulnerabilities can go in several directions, and sometimes user data exposure is unavoidable – but please make a note, contact us, and move on.
  • Contact us immediately if you discover a vulnerability. Include reproduction steps and sample data on sample accounts. Make sure to list the accounts you were using to test with and any extra accounts touched during your process.
  • Give us a reasonable amount of time to reply to your report before going public. If you go public prior to our fix, any reward you may have earned will be forfeited.
  • Please don't submit reproduction processes that involve using Burp suite or other proprietary testing products. Limit your examples to cURL-based examples, and include all payloads to simulate the attack in your email.
  • Please don't include copy-pasted descriptions of vulnerabilities, or links to third-party websites, or templates, that are used to submit bugs to programs in bulk. They often don't apply to us.
  • Please send, at maximum, one report at a time, and await a response on that report before submitting a subsequent report. Submitting more than one report or reports in bulk may result in significantly increased processing times.
  • Please include the words "I understand the PE security program" somewhere in your email, so we know that you read and understand this page.
  • Please be prepared to supply tax information (IRS forms I9 or W-8BEN as appropriate), and receive payment through our payment partner, Tremendous. We are unable to make payments using ACH, IBAN, SWIFT, or money order.
  • In general, act in good faith. We want to fix the problems you discover, not take punitive action.
  • We reserve the right to withhold payment or cease working with any tester at any time.

Contact and timeline

Send any vulnerabilities or suggestions you have to . If your report contains sensitive details, you can encrypt your message with our public key on Keybase. Once we get your message, we'll triage your report and get a fix out the door. We'll keep you in the loop on this process, of course.