We take security seriously and welcome the contribution of external security researchers to help us ensure the security and privacy of our users. Please review the following policy before you disclose a potential security vulnerability.
Reporting a Security Vulnerability
If you discover a security issue or vulnerability in a User Interviews service, we ask that you report this to us confidentially by emailing email@example.com.
Please provide as many relevant details as you can, such as:
How the vulnerability can be exploited and the potential impact
How you discovered the vulnerability and clear steps to reproduce
Any proof of concept attack and/or images showing the attack vector
Any known patches or controls to mitigate the vulnerability
If you wish to be recognized in our Hall of Fame, please also provide your name/handle and a link for recognition (e.g., LinkedIn, Twitter, or personal website). See the “Recognition” section below for additional information.
Requirements and Exclusions
As long as you adhere to the following parameters when reporting an issue to us, we will not pursue or support any legal action related to your research.
Do not access, destroy, or negatively impact User Interviews’ or its users’ data in any way.
Do not use automated scanners. The use of automated scanners may result in investigative action and your IP address being blocked.
Make every effort to avoid privacy violations and interruption or degradation of User Interviews’ services during your research.
Do not conduct any type of physical or electronic attack against User Interviews’ personnel.
Do not violate any laws or breach any prior agreements.
Keep information about any vulnerabilities you’ve discovered confidential until we’ve had 90 days to investigate your report and carry out any necessary remediation.
Out of Scope:
Findings from applications or systems not in scope
Findings that do not demonstrate a security impact to a site or application in scope
Any services hosted by third-party providers and third-party services
Findings derived primarily from social engineering (e.g., phishing, vishing)
UI and UX bugs and spelling mistakes
Network-level Denial of Service (DoS/DDoS) vulnerabilities
Things we do not want to receive:
Personally identifiable information (PII)
Financial account information (e.g., bank account number, credit card holder data)
We do not currently have a bug bounty program in place but will update this page with relevant information if one is instituted. In addition, we are happy to recognize your contribution in our Security Hall of Fame below if you provide your name/handle and a link for recognition.
We reserve the right to only credit researchers who have reported an issue that is proven and of sufficient severity.
Hall of Fame
A special thanks to the following people who have responsibly disclosed vulnerabilities to User Interviews: