This is not a complete list, we will consider any requests related to our applications and domains *.jivosite.com *.jivochat.com *.jivochat.com.br and others.
Getting access to correspondence, the list of clients of other accounts, call records, transferred files
Ability to change the settings of other accounts or delete data in other accounts
Getting any access to files on the agent’s device via JivoChat applications
Obtaining confidential information about the account agents (email, phone, IP address) without an account in this account (deanonymization of the agents)
Getting access to internal JivoChat systems (they are located on * domains.jivosite.com)
Access to JivoChat servers, databases, or database backups
The average criticality
Increase of privileges within a single account (agents-administrator)
Vulnerabilities that require the user to be convinced to perform certain actions in the application or on third-party sites
Vulnerabilities that we are not interested in
Lack of protection or non-compliance with the recommendations (security best practices) without a specific exploitation scenario
Messages from security scanners
Vulnerability reports based on product/protocol versions without showing the vulnerability
Overflow of inbox agents with spam messages or calls
Getting access to your account data, provided that you have physical access to the unlocked device of the agent
Getting the agent’s known public data (avatar and name on the site)
Getting access to premium features without a license
User account email enumeration via Brute-force. Getting the list of user emails without Brute-force is in scope.
Authorization bypass that allows an agent without admin privileges to assign clients or access client chats, statistics, etc. within the same account. Unauthorized access to team chats in the same account is in scope.
Program terms and conditions
Only vulnerabilities in JivoChat applications, chat window, and partner account are considered. We will not consider the vulnerabilities and bugs on the sites that have established themselves on our live chat. Moreover, we do not recommend looking for vulnerabilities on these sites, except when they invite you to do so.
Vulnerabilities in CMS plugins and other third-party systems will only be considered if they belong to JivoChat.
We do not consider DoS (Denial of Service) vulnerabilities and ask you not to use load testing tools on our servers.
A reward for a vulnerability can only be paid to the first person to report it. What you need to include in the report is written above.
The reward is proportional to the criticality of the vulnerability (more details about what we consider critical are given above).
During the research, we ask you to use your test accounts and not to take actions that may harm other users or violate their privacy.
It will take us up to 14 business days to analyze the message.
We can only pay rewards through PayPal. Also, we may publicly thank you on a page on our website and/or grant you a generous license to use JivoChat.
We reserve the right to refuse payment of remuneration at our discretion, as well as to modify the terms of the program or cancel it without notice.
We’d like to certain analytics cookies to help us to improve our website by collecting and reporting information on how you use it. For more information please see our 'Cookies page'. Are you happy to allow cookies?