Vulnerability report

The information on this page is intended for security researchers interested in reporting security vulnerabilities to the Personal Capital security team. Smooch relies on the Bugcrowd Vulnerability Rating Taxonomy for prioritisation of findings- but reserves the right to either downgrade or upgrade findings’ severity based on the criticality of their underlying risk to Smooch. We ask that you do not share or publicise any vulnerabilities submitted via this form. We appreciate your discretion and support.

Targets

api

api.smooch.io

Web app

app.smooch.io

SDKs

Smooch Web SDK
Smooch Android SDK
Smooch iOS SDK

Out of scope

smooch.io

Reporting

If you believe you have found any security vulnerability in the products or services of Smooch.io, you are welcome to submit a vulnerability report on our platform. In order to file a security vulnerability, please note that you must include the following information:
  • For web vulnerabilities, the URL where the vulnerability was identified
  • A detailed description with screenshots if necessary
  • Versions of web components related to the vulnerability (browser, OS, app version, etc.)
  • SDK versions, if applicable
  • Steps to reproduce the vulnerability
  • Your suggestion to fix the vulnerability
  • Any other information that you believe is useful

Target information

Please use our latest SDK and API versions when performing your tests All vulnerabilities discovered and reported on other targets (including subdomains or older version of SDKs/API) will be accepted, but are not eligible for a reward at this time. These submissions will be marked "Not Applicable" to prevent negative ratings.
  • Smooch Web app - https://app.smooch.io
  • Smooch API - https://api.smooch.io
  • Smooch SDKs - Android, iOS and Web messenger

Prohibited Testing

  • Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure.
  • Do NOT perform any attack that could harm our services (E.g.: DDoS/Spam)
  • Do NOT attack, in any way, our end users, or engage in trade of stolen user credentials.
  • Do NOT use automated scanners and tools to find vulnerabilities.
  • Do NOT Perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact our support team.
  • You may investigate or target vulnerabilities against your own or test accounts, but testing must not disrupt or compromise any data or data access that is not yours.

Rules

This program requires explicit permission to disclose the results of a submission. All issues will be paid after a fix has been applied.

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.

Report a Security Vulnerability