Pushwoosh Vulnerability Monitoring

Penetration testers are welcome!

Become a hero and shine in our Hall of Fame! We greatly appreaciate the input of volunteer testers who find valid vulnerabilities (subject to rules and terms of participation). If you've discovered a Push-related problem, bug or vulnerability, please, don’t share it publicly – instead, let us know a.s.a.p. via Contact Us form on our website or via Hackerone. We’ll ping you back with a confirmation and a ton of kudos. So far our program offers only non-monetary rewards. We're trying to respond as fast as we can, but in some cases it may take us up to 14 days to process a new report.

Sending a bug report

Only original, previously unreported bugs will be taken into account. Please submit one issue per ticket.

What should be included in your report:

  • Detailed instructions for reproducing the particular bug
  • Ways to (potentially) exploit this vulnerability

Much appreciated:

  • Screenshot or video with an exploit demonstration

Targets

The target host for this bounty is

go.pushwoosh.com

The following will not qualify the program

pushwoosh.com, docs.pushwoosh.com, community.pushwoosh.com and any other subdomains are specifically excluded from this bounty.

API Information and Documentation

Creating the account

Use the pentester_anyCharacters@any.domain email alias when signing up for pushwoosh.com accounts that will be used to participate in this bounty.

Accounts not following this rules will be suspended without warning.

The following will not qualify for the bounty program:

Pushwoosh Responsible Disclosure Policy

In the best interest of our customers and Internet users worldwide, we ask that you follow the guidelines of responsible disclosure:

  • Do not publicly disclose parts or full vulnerability until we have had a chance to investigate and address it.
  • Do allow us a reasonable timeframe of 90 days to respond to you and address the vulnerability before making any information public.

Our thanks to you

Pushwoosh greatly appreciates the efforts of those security researchers who identify vulnerabilities and work with us to ensure that we can develop a fix and issue it to all our users. We thank you for going out of your way to help us minimize the risk to our users as well as help us in our vision to improve the overall security of our products.

The list of our beloved security researchers

Researcher
Vulnerability
Report date

XSS in autopushes

05.01.2016

Self-XSS at Push send form

16.05.2016

Stored XSS at Filter name

26.05.2016

Password recovery weakness

26.05.2016

Self-XSS at session info message

26.05.2016

Public access of config via Vim swap file

27.05.2016

Security vulnerability

31.05.2016

Password recovery weakness

31.05.2016

Password reset threshold‏‏

31.05.2016

Web application sessions limitation threshold

31.05.2016

Database remote access with full permissions

31.05.2016

Local File Inclusion

31.05.2016

HTTP Response Splitting

31.05.2016

Security vulnerability

31.05.2016

Stored XSS at Rich Media

02.06.2016

Password recovery information disclosure

04.06.2016

Multiple password request vulnerability

04.06.2016

XSS via POST request

09.06.2016

Software version disclosure

15.06.2016

DOS with large password lengths

15.06.2016

Unauthorized access. Ability to remove Filters of any another customer

16.06.2016

HTTP response splitting. Content-type header

17.06.2016

Bypass blacklist email validation on user registration form

20.06.2016

Ability to see push notification details of all customers

21.06.2016

Stored XSS at Application name

23.06.2016

Stored XSS at iBeacon UUID

23.06.2016

Session Takeover

27.06.2016

Privilege Escalation vulnerability

27.06.2016

Ability to log out all sub accounts in case 1 sub account is deleted

03.07.2016

Email spam via user invites

12.07.2016

Host Header Injection

31.07.2016

XSS in Rich Media

13.08.2016

Information Disclosure and broken authentication

20.08.2016

Email Spoofing

14.11.2016

Nginx server version disclosure

14.11.2016

.htaccess file is accesible

14.11.2016

Unsecured Grafana instance

15.11.2016

Permission Issue

15.11.2016

Password Bug

15.11.2016

User Enumeration on resetPassword link

15.11.2016

Password Change Issue

15.11.2016

Permission Issue [2]

15.11.2016

Administrator Access To RabbitMQ

16.11.2016

Nginx version disclosure

18.11.2016

XSS in autopushes

19.11.2016

Filename XSS

19.11.2016

Send invite issue

14.11.2016

Spam issues

14.11.2016

Email spam via invites

14.11.2016

Email spam via invites

14.11.2016

no limit on sending invites

18.11.2016

no limit on sending invites

16.11.2016

App name and subscribers count access

22.11.2016

XSS in Platform Settings

14.12.2016

Ahmad Shuja

Nginx administrator page disclosure

17.12.2016

Clickjacking

23.01.2017

Clickjacking

03.02.2017

Account takeover

14.02.2017

Clickjacking

22.06.2017

Information Disclosure

10.02.2017

Pushwoosh Vulnerability Monitoring

Penetration testers are welcome!