voize Vulnerability Program Guidelines

If you believe you've discovered a security or privacy vulnerability that affects voize software or services, please report it directly to us. We review all eligible submissions for security bounty rewards.

What systems are in scope?

  • *.voize.de
  • voize App
  • voize TIC App

What's not allowed?

  • Accessing user data - target only your own user, or only voize employees - @voize.de  accounts when your own user doesn't exist
  • Degrading production systems for other users
  • Targeting customer systems
  • Targeting systems of our integration partners
  • Targeting applications using the voize SDK

Out of scope vulnerabilities:

  • Vulnerabilities on static websites without sensitive data or actions.
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Attacks requiring social engineering.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Email spoofing
  • Missing DNSSEC, CAA, CSP, HSTS headers
  • Lack of Secure or HTTP only flag on non-sensitive cookies
  • Deadlinks
  • Use of known-vulnerable software sooner than 30 days after a vulnerability is disclosed, and without evidence of exploitability

How are bounties decided?

  • Bounties will be decided at our discretion. The reward will be decided based on the scope of the vulnerability as well as the completeness and quality of the report

Will my report be eligible for a bounty?

  • You must be the first party to report the issue directly to us via email
  • Your report must be clear and detailed and provide a way to reproduce the issue
  • You must sign an NDA agreeing to not disclose the issue publicly and to delete any information collected during the research process

What makes a complete report?

  • A detailed description of the issue(s) and the behavior you observed, as well as the behavior that you expected
  • A numbered list of steps required to reproduce the issue
  • A reliable exploit for the issue you are reporting
  • Details of any related issues or variants

What makes a good report?

  • A good report is reproducible so that we can accept it as part of the Vulnerability Bounty Program and evaluate it properly.

How do I report a vulnerability?

What we promise

  • We will respond to your report within 7 business days with our evaluation of the report and an expected resolution date.
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report.
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
  • We will keep you informed of the progress towards resolving the problem.