Bug Bounty
No technology is perfect, and PushPushGo believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Program Status: SUSPENDED
Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Interact only with accounts of your own or with explicit permission of the account holder.
Reporters accounts
Researchers can sign up for a trial with mail suffix +bugbounty ex. person+bugbounty@domain.com
SLA
PushPushGo will make the best effort to meet the following SLAs for hackers participating in our program:
Time to first response (from report submission) - 3 business days
Time to triage (from first response) - 3 business days
Time for resolution - depending on severity and complexity
Exclusions
While researching, we'd like to ask you to refrain from:
(Distributed) Denial of service
Weak password policy
Spamming
Cookie flags
Social engineering (including phishing) of PushPushGo staff or contractors
Any physical attempts against PushPushGo property or data centers
Brute-force, / Rate-limiting, / Velocity throttling, and other denial of service-based issues.
XSS (or a behavior) where you can only attack yourself (e.g. "Self XSS").
XSS on pages where admins are intentionally given full HTML editing capabilities, such as custom theme editing
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep PushPushGo and our users safe!
How to report issue?
Please send the issue with a description and steps to reproduce to mateusz@pushpushgo.com
How to receive a reward?
Please prepare receipt / invoice on our company data and the amount that we agreed on.
Company data:
PushPushGo sp. z o.o.
VAT-UE: PL675-160-1766
Al. 29 Listopada 155c
31-406 Cracow
Poland
All of the above data should be visible on the invoice / receipt.