3CX Bug Bounty Program
Who we are
3CX is a global leader in business communications, being used by more than 350,000 companies around the world. Taking advantage of the SIP open-standard and WebRTC technology, 3CX has evolved from its roots as a PBX phone system to a complete communications platform, offering customers a simple, flexible, and affordable solution to call, video and live chat. With 3CX businesses can increase productivity, enhance customer experiences, while dramatically cutting costs and management headaches.
The 3CX Bug Bounty program is part of its commitment to providing a secure, best in class, product to its customers and partners. 3CX looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
Scope of program
The scope of our program focuses on exploiting any of the components included/used in the 3CX software. This includes:
- 3CX Phone System V20 (Windows and Linux)
- On Premise
- SMB
- Hosted by 3CX
- 3CX SBC V20 (Windows & Linux)
- 3CX Windows app V20
- 3CX Mobile clients (iOS/Android)
- 3CX Live chat & WordPress plugin
- 3CX Customer portal
Any 3CX domain (*.3cx.*) or service not listed above is outside of the scope of this program. Do not perform security tests on any 3CX domain or 3CX related cloud service not in the scope of this program. Hackers performing security tests on any 3CX domain or 3CX related cloud service and/or outside the scope may be removed from the program and/or permanently banned without any notice.
Program Rules
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. (If an issue affects multiple endpoints but stems from the same function, open only one report and include all endpoints)
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Test Plan
- Register on www.3cx.com using your hackerone email address. Confirm your email and follow the wizard to select a deployment type. (Please refer to our documentation for more information about each deployment type at https://www.3cx.com/docs/manual/install/)
- There might be new builds in the repository after you have installed it. If you find a vulnerability, before submitting it, make sure you update to the latest available version and ensure it is still valid. On linux you can manually update by running apt update && apt upgrade in your server's terminal.
- For any additional technical documentation you can refer to our website.
- Hackers who want to test features that are only available in the ENTERPRISE license should use the "Credentials for testing" feature of H1 to request their license to be upgraded.
Bounties
The 3CX Bug Bounty program recognizes the contributions of security researchers who invest their time and effort in helping us make 3CX more secure.
The reward level is based on the vulnerability impact and increases for higher quality reports that include reproduction code, test cases, and patches. Rewards are not additive and are subject to change as we see fit. 3CX will determine the impact for a given security vulnerability based on existing and compensating controls. Prior bounty amounts awarded are not precedent for future payments. Our program's scope and policy is subject to change at any time and individuals are encouraged to refer to this policy often.
Multiple reports by the same user for an issue that stems from the same root cause will be treated as one.
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of 3CX. While exceptional reports may qualify for higher bounties, there should be no expectation of a payout above the range baselines.
| Severity | Payout |
|---|
| Critical | $2,300 - $3,500 |
| High | $1,150 - $2,300 |
| Medium | $350 - $1,150 |
| Low | $100 - $350 |
| Informative | $0 |
Vulnerabilities found/reported related to the VoIP/RTC features of the product can be awarded with extra bonus (depending on severity).
Response Targets
3CX will make a best effort to meet the following SLAs for hackers participating in our program:
| Type of Response | SLA in business days |
|---|
| First Response | 5 days |
| Time to Triage | 7 days |
| Time to Bounty | 14 days |
| Time to Resolution | depends on severity and complexity |
We'll try to keep you informed about our progress throughout the process.
Disclosure Policy
- Please do not discuss or disclose vulnerabilities in this program (even resolved ones) outside of the HackerOne platform.
- Follow HackerOne's disclosure guidelines.
Out of scope vulnerabilities
- Any activity that could lead to the disruption of our infrastructure or cloud services (DoS, DDoS).
- Lack of rate limit on cloud endpoints.
- Creating unlimited objects in the 3CX Phone System is not considered an issue by itself, unless there is a severe impact that can be demonstrated.
- SSRF in the Admin console on Self-hosted systems. On 3CX hosted systems actual impact must be demonstrated for a report to be accepted/eligible and not just the mere presence of it.
- Command execution/injection using the Call Flow Designer (CFD). The app has functionality to execute system commands by design.
- Social engineering of our employees or contractors, unless explicitly authorized.
- Attacks against our physical facilities, unless explicitly authorized.
- Attacks requiring physical access to a user's device, unless the device is in-scope and explicitly hardened against physical access.
- Attacks requiring disabling Man In The Middle (MITM) protections.
- Attacks only affecting obsolete browsers or operating systems.
- Missing best practices (SSL/TLS configuration, Content Security Policies, cookie flags, tabnabbing, autocomplete attribute, email SPF/DKIM/DMARC records), unless a significant impact can be demonstrated.
- Information disclosure in log files in the product.
- Clickjacking or Cross-Site Request Forgery (CSRF) on unauthenticated pages / forms with no sensitive actions.
- X-frame "bypasses" using proxies.
- Open redirects, unless a significant impact can be demonstrated.
- Self-exploitation (e.g XSS), unless a method to attack a different user can be demonstrated.
- Content spoofing, text injection and CSV injection, unless a significant impact can be demonstrated.
- Software version disclosure / Banner identification issues / Descriptive error messages or stack traces.
- Issues that require unlikely user interaction by the victim.
- Outdated dependencies.
- Subdomain takeover of any of the domains that are freely available in the 3CX Phone System.
- Reports from automated tools
Safe Harbor
Gold Standard Safe Harbor applies to this program.
Thank you for helping keep 3CX and our users safe!
