Bug Bounty Program
We ask that you do not create new accounts, these will be deactivated and you will be removed from the program. If you would like credentials please reach out to security @ reviewtrackers.com
ReviewTrackers helps businesses measure and transform the customer experience. The platform collects review data from 100+ review sites to surface customer insights that enable brands to listen, comprehend, and make data-driven decisions about what their customers truly need or want. Trusted by over 50,000 businesses, ReviewTrackers helps busy professionals save time, money, and resources so they can focus on what matters most: their customers.
We follow the taxonomy defined by Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher —- along with the opportunity to appeal, and make a case for a higher priority.
Areas in scope
Any domain/property of ReviewTrackers not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
The main marketing site for ReviewTrackers.
The authenticated portion of the app where the bulk of the functionality lies.
This is an admin portal for which no credentials are provided. The goal here is to try to break in. If you’re able to get in, please stop and report the issue before performing any additional testing behind the authentication.
Used for the ReviewTrackers API.
The iOS and Android apps
Available in their respective stores here:
- Accessing other user’s data in an illegitimate way
- SQL injection
Third party out-of-scope apps
ReviewTrackers uses a number of third-party providers and services. We cannot authorize security testing against systems that do not belong to us, but strongly suggest reporting issues identified within these services to the third-party directly.
Out of Scope
In general, if you believe the input will be read by another human other than yourself, do not submit it. Please use your best judgement here. Some examples would be the following:
- Do not sign up for any new accounts or request free trials.
- Do not test any, “contact us” or, “feedback” functionalities.
We ask that you comply with the policies below when reporting a security issue to ReviewTrackers:
- You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
- You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
- You do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
- For the purposes of this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.
Please send all findings to security @ reviewtrackers.com. We do pay monetary awards dependent on severity.