At We-Connect, user data security is paramount. We build our software and infrastructure with this goal at the forefront. That's why we're excited to welcome the security community to help us identify and fix vulnerabilities.
We encourage everyone to test the security of our platform. If you want to join, here are some guidelines:
• Follow the Terms of Service (ToS) and avoid disrupting our service or using automated testing tools.
• Only interact with your account and avoid any actions affecting other users' data.
• If you discover a security vulnerability, report it immediately.
• Don't disclose vulnerability details until we've fixed the issue.
• We award a single bounty per vulnerability. The first valid report received qualifies for the reward.
We're interested in any security exploit, but we offer increased rewards for the following:
• Tampering User Data: This includes extracting or modifying another user's information (e.g., leads). Simply proving an account exists doesn't qualify.
• API Security: Successfully exceeding your API request quota or bypass authentication entirely.
• Cross-Site Scripting (XSS)
• Server-Side Code Execution
• This program focuses on security vulnerabilities, not regular bugs. Report those to our support team.
• Denial-of-Service (DoS) or brute-force attacks
• Mixed-content scripts
• Social engineering attempts
• Theoretical vulnerabilities
• "Best practice" issues (e.g., common HTTP headers, link expiration, email validation, or password policy)
• Known theoretical vulnerabilities deemed low-risk (e.g., non-expiring session cookie with HTTPS and HSTS preloading)
• Accessing device or location information from team members
Our flexible reward system doesn't have a fixed limit. We value the severity and creativity of your findings. Rewards depend solely on the vulnerability's impact and are distributed via PayPal after the fix is deployed. Please note, PayPal transaction fees are deducted from the awarded amount.
Submit your report here. We respond to all submissions within a few days. Once the patch is live, you'll receive your bounty through PayPal.
If you have any questions regarding the program, please contact us at [email protected].