At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.
8x8 Product Scope
| 8x8 Work | All your essential business communications brought together in one simple app. |
|---|
| ⚠️ Testing accounts or credentials are not being provided at this time. | |
| ⚠️ Product Assets: | |
| 8x8 Virtual Contact Center | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. |
|---|
| ⚠️ Testing accounts or credentials are not being provided at this time. | |
| ⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. | |
| ⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/ | |
| ⚠️ Product Assets: | |
- Configuration Manager: vcc-*.8x8.com/CM/
- 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/
- 8x8 Quality Management: vcc-*.8x8.com/QM/
- 8x8 Supervisor Workspace: https://superx.8x8.com/
- 8x8 Analytics for Contact Center: analytics-*.8x8.com
⚠️ Additional Testing Information regarding "Contact Center Agent Workspace":
- For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for
jabbind3.php
- Proxy settings
- Search "streaming"
- Add
https://vcc-na1.8x8.com/agui/jabbind3.php (e.g.) as "Streaming responses"
- {F3427433}
| Jitsi | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of end-to-end encryption (beta). |
|---|
| ⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/ | |
| ⚠️ Product Assets: | |
- Infrastructure: *.jitsi.net
- Infrastructure: *.jit.si
- Source Code: https://github.com/jitsi
| 8x8 Video Conferencing | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |
|---|
| ⚠️ Testing accounts or credentials are not being provided at this time. | |
| ⚠️ Product Assets: | |
- Web App: https://connect.8x8.com/
- 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, sms.us.8x8.com, chatapps.8x8.com, …
If You See Something, Say Something
We welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.
8x8 IP Ranges & Domains
https://support-portal.8x8.com/viewArticle.html?d=76af47f6-a987-4c2a-a0a2-53d87a79023d&q=x-series-technical-requirements&hl=en
8x8 subsidiaries and acquisitions
- Contactual
- Fuze
- In2Tel
- Jitsi
- SameRoom
- Wavecell
Response Targets
8x8 will make a best effort to meet the following response targets for hackers participating in our program:
- Time to first response (from report submit) - 1 business days
- Time to triage (from report submit) - 2 business days
Disclosure Policy
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.
- Follow HackerOne's disclosure guidelines.
Scope Exclusions
While researching, we'd like to ask you to refrain from:
- Any form of automation
- Any activity that could lead to the disruption of our service (DoS)
- Spamming
- Social engineering (including phishing) of 8x8 staff or contractors
- Any physical attempts against 8x8 property or data centers
- Missing security headers (eg. HSTS, CSP, SPF, DMARC)
- Missing flags on cookies
- SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact
- Clickjacking
- Rate limiting or brute force issues
- General low severity issues reported by automated scanners
- Attacks requiring MITM or physical access to a user's device
- Vulnerable libraries or dependencies absent a working Proof of Concept
- Comma Separated Values (CSV) injection
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Tab-nabbing
- Self XSS without further security impact
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Credential Stuffing: It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.
Target Specific Scope Exclusion - connect.8x8.com
- IDORs having unguessable/non-enumerable identifier are out of scope
- IDORs in form of an UUID
- IDORs based on
AccountId and subAccountId
- When testing support functionality please add "HackerOne" in your subject line and limit the number of requests to an absolute minimum.
Testing Identification
- Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.
- To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to
User-Agent:
X-HackerOne: [H1 username]
Safe Harbor
The Gold Standard Safe Harbor applies.
What other researchers are saying …
-
Lightning fast as always, wish all programs were like this!
-
8x8 is the best bug bounty program on HackerOne by far.
-
Best Program Team!
-
Thank you for being one of the fastest response triager as well as super transparent, someone that works with hackers just like a collaboration.
-
That was the fastest triage ever I think.
-
This is the fastest program to date. Not only is the response time is insane, but also the way your security team works with researchers is awesome. Totally love the fact that you guys are putting security as your top priority.
-
The fastest response I've seen in hackerone history, also on the weekend
-
That must be been the fastest fix I've ever seen! <24h from report to remediation, love to see it.
Thank you for helping keep 8x8 and our users safe!
