Security  VDP 

No technology is perfect, and we believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. 

If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. 

What is a Vulnerability Disclosure Program? 
A Vulnerability Disclosure Program (VDP) is the "see it, say it, sort it" of the internet - we encourage security researchers to report any behaviour impacting the information security posture of Analytics products and services. 

Please document your findings thoroughly, providing steps to reproduce and send your report to us. 
* Reports with complete vulnerability details, including screenshots or video, are essential for a quick response. 
* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. 
* We will work with the affected teams to validate the report. 
* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report. 

Reference HackerOne guidance on writing quality reports: 

Who Can Participate? 
Anyone on the internet can participate 

Disclosure Policy 
By providing a Submission or agreeing to the Program Terms, You agree that you may not publicly disclose your findings or the contents of your Submission to any third parties. 
* Follow HackerOne's disclosure guidelines. 


Our attack surface is always evolving hence we welcome reports associated with domains you believe belong to us but are not listed here. 

High and Critical Vulnerabilities 
* Cross-site Scripting (XSS) 
* Cross-site Request Forgery (CSRF) 
* Server-Side Request Forgery (SSRF) 
* SQL Injection 
* Remote Code Execution (RCE) 
* XML External Entity Attacks (XXE) 
* Access Control Issues (Insecure Direct Object Reference issues, etc.) 
* Exposed Administrative Panels that without strong protection 
* Directory Traversal Issues 
* Local File Disclosure (LFD) 
* Vast Users’ Sensitive Information Leakage 
* Known vulns in unpatched software (usually third party) 

Out of Scope 
* Information leakage that cannot be used to make a direct attack, like server IP, server version, path, error message, internal IP, etc. 
* PII - do not collect any personally identifiable information - including credit card information, addresses and phone numbers from other customers. 
* Reports from automated tools or scans. 
* Attacks against Analytics infrastructure 
* Social engineering and physical attacks 
* Distributed Denial of Service attacks that require large volumes of data. 
* 0-day vulnerabilities less than 30/60/90 days from patch release are ineligible for bounty. 
* Provisioning and/or usability issues. 
* Violations of licenses or other restrictions applicable to any vendor's product. 
* Security vulnerabilities in third-party products or websites that are not under Analytics’s direct control. 
* "Self" XSS 
* Session fixation 
* Content Spoofing 
* Missing cookie flags 
* SSL/TLS best practices 
* Mixed content warnings 
* Clickjacking/UI redressing 
* Flash-based vulnerabilities 
* Local denial of service of Mobile APP 
* Reflected file download attacks (RFD) 
* Physical or social engineering attacks 
* Feedback, comment, message, etc. flooding 
* SMS/Email flooding for some of our business 
* CSRF/XSS with long or unpredictable parameter 
* Login/logout/unauthenticated/low-impact CSRF 
* Unverified Results of automated tools or scanners 
* No SPF/DMARC in non-email domains/subdomains 
* Attacks requiring MITM or physical access to a user's device 
* Issues related to networking protocols or industry standards 
* Error information disclosure that cannot be used to make a direct attack 
* Missing security-related HTTP headers which do not lead directly to a vulnerability 

Safe Harbor 
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. 

To Submit Reports please send it via email

We will respond within 1 to 4 working days. 

Thank you for helping keep our company and our users safe!

Do you like cookies? 🍪 We use cookies to ensure you get the best experience on our website. Learn more