Details

Invision is fully committed to the security and protection of our customers’ data. We encourage safe and responsible security testing and reporting of security issues based on the following simple rules:

• Do not attempt any testing that would result in a Denial-of-Service condition. • ALL security testing must be conducted in a non-production environment to minimize risk and impact to our customers. Please contact security at invisionpower dot com to obtain a testing environment. • Do not attempt to access, modify, or delete information that does not belong to you or your organization. • Do not run automated scans without checking with us first. • Do not test using social engineering techniques (such as phishing.) • Do not, in any way, attack or compromise our customers, end users or engage in the trade of stolen or leaked user credentials. • Do not disclose any report, or issues to the public or any third party without explicit permission from Invision Power Services, Inc.

IMPORTANT: Please do not submit reports related to the following:

Any issue that requires elevated (administrator) privileges to execute.
Descriptive error messages.
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Clickjacking and issues only exploitable through clickjacking.
CSRF on forms that are available to guest users (e.g. the contact form).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
DNS issues.
Email issues including spoofing, SPF, DMARC and DKIM settings.
Password policies.
HTTP security headers.

NOTE: Invision does not have a cash bounty reward program at this time. Your responsible reporting is, however, appreciated and kudos will be provided.

Please see www.invisioncommunity.com for full contact information and privacy policies.