Bug Bounty Program – Help JivoChat to find errors

Tell us about our vulnerabilities in exchange for respect and reward
From time to time we all make mistakes. And we encourage you to report our mistakes to us. Send us an email to security@jivochat.com with the following information:
  • description of the vulnerability
  • steps to exploit the vulnerability
  • name and link to your profile for public thanks (if you would like that)
А reward of between $30 and $300
We will test the error and respond to you within 14 business days. Depending on the severity of the vulnerability, you will receive a reward of between $30 and $300.
What to look for and where
Our main applications:
This is not a complete list, we will consider any requests related to our applications and domains *.jivosite.com *.jivochat.com *.jivochat.com.br and others.
Critical vulnerabilities
  • Getting access to correspondence, the list of clients of other accounts, call records, transferred files
  • Ability to change the settings of other accounts or delete data in other accounts
  • Getting any access to files on the agent's device via JivoChat applications
  • Obtaining confidential information about the account agents (email, phone, IP address) without an account in this account (deanonymization of the agents)
  • Getting access to internal JivoChat systems (they are located on * domains.jivosite.com)
  • Access to JivoChat servers, databases, or database backups
The average criticality
  • Increase of privileges within a single account (agents-administrator)
  • Vulnerabilities that require the user to be convinced to perform certain actions in the application or on third-party sites
Vulnerabilities that we are not interested in
  • Lack of protection or non-compliance with the recommendations (security best practices) without a specific exploitation scenario
  • Messages from security scanners
  • Vulnerability reports based on product/protocol versions without showing the vulnerability
  • Overflow of inbox agents with spam messages or calls
  • Getting access to your account data, provided that you have physical access to the unlocked device of the agent
  • Getting the agent's known public data (avatar and name on the site)
  • Getting access to premium features without a license
  • User account email enumeration via Brute-force. Getting the list of user emails without Brute-force is in scope.
  • Authorization bypass that allows an agent without admin privileges to assign clients or access client chats, statistics, etc. within the same account. Unauthorized access to team chats in the same account is in scope.
Program terms and conditions
  • Only vulnerabilities in JivoChat applications, chat window, and partner account are considered. We will not consider the vulnerabilities and bugs on the sites that have established themselves on our live chat. Moreover, we do not recommend looking for vulnerabilities on these sites, except when they invite you to do so.
  • Vulnerabilities in CMS plugins and other third-party systems will only be considered if they belong to JivoChat.
  • We do not consider DoS (Denial of Service) vulnerabilities and ask you not to use load testing tools on our servers.
  • A reward for a vulnerability can only be paid to the first person to report it. What you need to include in the report is written above.
  • The reward is proportional to the criticality of the vulnerability (more details about what we consider critical are given above).
  • During the research, we ask you to use your test accounts and not to take actions that may harm other users or violate their privacy.
  • It will take us up to 14 business days to analyze the message.
  • We can only pay rewards through PayPal. Also, we may publicly thank you on a page on our website and/or grant you a generous license to use JivoChat.
  • We reserve the right to refuse payment of remuneration at our discretion, as well as to modify the terms of the program or cancel it without notice.