Details

#UserTesting Vulnerability Disclosure Policy

UserTesting is committed to providing a secure platform for our customers and contributors. We encourage anyone who sees a security issue to report it here.

Note: This program does not offer rewards. UserTesting also works with professional security researchers through a private, invite-only bug bounty program.

Program Rules

Only pre-login-screen pages are in scope of this program. Do not create any accounts for the purpose of security testing.
Do not access, leak, manipulate, or destroy any user data.
Avoid privacy violations, destruction of data, and interruption or degradation of our service.

Response Targets

UserTesting will make a best effort to respond within 2 business days to your reports.

Responsible Disclosure

Report potential security issues as soon as possible, and we'll make every effort to resolve it appropriately.
Please provide us a reasonable amount of time to resolve the issue before making any external disclosure.
Follow [HackerOne's disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).

In-scope Vulnerabilities

Cross-site scripting (XSS)
SQL Injection (SQLi)
Missing/Broken Authentication
Remote Code Execution
Privilege Escalation
Sensitive Data Exposure
XML External Entities
Broken Access Control
Security Misconfiguration
Insecure Deserialization
Usage of Components with Known Vulnerabilities

##Safe Harbor Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Out-of-scope Vulnerabilities

Open redirects
Vulnerabilities related to customers manipulating testers through the testing process

While researching, please refrain from the following actions:

Outputs of automated scanning
Denial of service
Rate limit testing
Spamming
Social engineering (including phishing) of UserTesting staff or contractors
Standard user enumeration attacks
Reports solely indicating a lack of a possible security defense, such as certificate pinning or two-factor authentication.
Any physical attempts against UserTesting property or data centers

Thanks

We believe in recognizing the good work of others. If your efforts help us improve the security of our service, we're happy to acknowledge your contribution. Thank you for helping keep UserTesting safe!

UserTesting's HackerOne program is currently in invite-only mode. We look forward to working with you in the future.

Responsible Disclosure

Report potential security issues as soon as possible, and we'll make every effort to resolve it appropriately.

Please provide us a reasonable amount of time to resolve the issue before making any external disclosure.

Follow [HackerOne's disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).

In-scope Vulnerabilities

Cross-site scripting (XSS)

SQL Injection (SQLi)

Missing/Broken Authentication

Remote Code Execution

Privilege Escalation

Sensitive Data Exposure

XML External Entities

Broken Access Control

Security Misconfiguration

Insecure Deserialization

Usage of Components with Known Vulnerabilities

Out-of-scope Vulnerabilities

Open redirects

Vulnerabilities related to customers manipulating testers through the testing process

While researching, please refrain from the following actions:

Outputs of automated scanning

Denial of service

Rate limit testing

Spamming

Social engineering (including phishing) of UserTesting staff or contractors

Standard user enumeration attacks

Reports solely indicating a lack of a possible security defense, such as certificate pinning or two-factor authentication.

Any physical attempts against UserTesting property or data centers

Thanks

UserTesting's HackerOne program is currently in invite-only mode. We look forward to working with you in the future.