Help Secure Sensfrx, Earn Rewards

Submit a Bug Program Rules
Responsible Disclosure

Your Security Partner

We value the contributions of security researchers who help keep Sensfrx's platforms secure

Find a Bug

Discover security vulnerabilities within our defined scope.

Report Securely

Submit your findings through our secure reporting platform

Verification

Our security team verifies and validates your submission.

Get Rewarded

Receive recognition and exclusive swag for valid reports.

Rewards & Recognition

We value the contributions of security researchers who help keep Sensfrx's platforms secure

Limited Edition T-Shirts

Exclusive Sensfrx Bug Hunter t-shirts for valid vulnerability reports

Hall of Fame

Get recognized on our security researcher hall of fame

Security Acknowledgment

Public acknowledgment of your contributions to Sensfrx's security

Program Scope & Rules

Clear guidelines for security researchers

Domains & Web Applications

Domains & Web Applications

Customer dashboard (dashboard.sensfrx.ai)

API endpoints (api.sensfrx.ai)

Marketplace Integrations

Sensfrx WordPress plugin (latest version)

Sensfrx WooCommerce integration (latest version)

Sensfrx WHMCS module (latest version)

Sensfrx WISECP integration (latest version)

Note: When testing integrations, please use development environments only. Never test on production systems unless you own them.
Social engineering attacks

Attacks targeting Sensfrx employees through phishing, vishing, or other social engineering techniques.

Denial of Service (DoS/DDoS) attacks

Any testing that impacts the availability of our services or causes degradation of service.

Third-party services

Services not directly managed by Sensfrx (except for our official integrations listed in scope).

Rate limiting issues

Unless they directly lead to another vulnerability with security impact.

Vulnerabilities in outdated versions

Only the latest versions of our software and integrations are in scope.

Testing Guidelines

Only test against accounts you own or have explicit permission to test

Do not access, modify, or delete data that does not belong to you

Do not attempt to exfiltrate data from the systems

Do not use automated scanners that may affect system availability

Disclosure Policy

Do not disclose any vulnerability to the public or third parties before it has been fixed and approved for disclosure

Provide a reasonable time for remediation before any disclosure

Coordinate disclosure timing with the Sensfrx security team

Reporting Requirements

Provide detailed reproduction steps that allow us to replicate the vulnerability

Include screenshots, videos, or proof of concept code where applicable

Explain potential security impact and attack scenarios

Critical

Vulnerabilities that cause a direct and immediate impact on the confidentiality, integrity, or availability of customer data or Sensfrx systems. Examples: Remote code execution, authentication bypass affecting all users.

High

Vulnerabilities that have a significant impact but may require additional steps or specific conditions. Examples: SQL injection, stored XSS in commonly used features, CSRF with significant impact.

Medium

Vulnerabilities that have some security impact but are limited in scope or require unlikely conditions. Examples: Reflected XSS with limited impact, sensitive information disclosure affecting limited users.

Low

Vulnerabilities with minimal security impact or requiring highly specific conditions. Examples: Self-XSS, CSRF with minimal impact, minor information leakage.

Note: Final severity determination is at the discretion of the Sensfrx security team. We consider factors such as attack complexity, required privileges, and potential business impact.
Legal Safe Harbor

Sensfrx provides safe harbor for security researchers who:

Engage in security research in accordance with this policys

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services

Report vulnerabilities directly to us and keep information about discovered vulnerabilities confidential until we remediate them

We will not pursue civil action or initiate a complaint to law enforcement for security research conducted in accordance with this policy. If legal action is initiated by a third party against you for activities that were conducted in accordance with this policy, we will make it clear that your actions were conducted in compliance with this policy.

Out of Scope Activities

The following activities are not covered by the safe harbor provisions:

Testing that impairs or damages the systems or data

Social engineering attacks against our employees

Physical attacks against our offices, data centers, or employees

Testing of systems or activities not covered in the scope

Vulnerability Types

Types of security issues we're particularly interested in

Authentication Issues
  • Authentication bypasses
  • Weak password policies
  • Session management flaws
Injection Vulnerabilities
  • SQL injection
  • Cross-site scripting (XSS)
  • Command injection
Access Control
  • Insecure direct object references
  • Missing function level access control
  • Privilege escalation
Data Exposure
  • Sensitive data exposure
  • Insecure API endpoints
  • Information leakage
Plugin Vulnerabilities
  • WordPress plugin security issues
  • WooCommerce integration flaws
  • WHMCS/WISECP module vulnerabilities
Configuration Issues
  • Security misconfiguration
  • Default credentials
  • Insecure default settings

Vulnerability Report Template

Please use this template when submitting vulnerability reports

Vulnerability Report Template

When submitting a vulnerability to [email protected], please include the following information:

                    Subject: [Sensfrx Bug Bounty] - [Vulnerability Type] - [Affected Component]
                    ## Vulnerability Details
                    - Vulnerability Type:
                    - Affected URL/Component:
                    - Severity (Critical/High/Medium/Low):

                    ## Description
                    [Detailed description of the vulnerability]

                    ## Impact
                    [Describe the potential security impact]

                    ## Proof of Concept
                    [Code, screenshots, or videos demonstrating the vulnerability]

                    ## Suggested Mitigation
                    [Optional: Your recommendations for fixing the issue]
                     ## Description
                    [Detailed description of the vulnerability]

Frequently asked questions

Questions you might ask about our products are services.

Frequently asked questions

Questions you might ask about our products are services.

You can submit your bug reports via email to [email protected]. Make sure to include detailed reproduction steps, impact assessment, and any relevant screenshots or videos. Our security team will review your submission and respond accordingly.

We reward researchers for discovering security issues such as XSS, CSRF, SQL injection, authentication bypasses, authorization flaws, and other vulnerabilities that could impact our users' security or privacy. Vulnerabilities in our marketplace integrations (WordPress, WooCommerce, WHMCS, WISECP) are also eligible.

We aim to review all submissions within 5 business days. Complex issues may take longer to validate. You'll receive updates on the status of your report throughout the process.

No, please only test systems that are explicitly listed in our scope (*.sensfrx.ai domains and our marketplace integrations). Testing out-of-scope systems may violate our terms and applicable laws.

T-shirts are shipped within 30 days after a vulnerability is validated and fixed. We'll contact you for shipping details once your report qualifies for a reward.

Currently, our bug bounty program offers recognition and swag (t-shirts) as rewards. We do not offer monetary compensation at this time, but we highly value the contributions of security researchers and acknowledge them in our Hall of Fame.

We're currently working on implementing PGP encryption for our vulnerability reports. In the meantime, please avoid including highly sensitive information in your initial report. After we acknowledge your submission, we can establish a secure communication channel for sharing additional details if needed.

We are committed to the following response times:

  • Initial acknowledgment: Within 24 hours
  • Triage completion: Within 5 business days
  • Critical vulnerabilities: Begin remediation within 24 hours
  • High vulnerabilities: Begin remediation within 3 business days
  • Medium/Low vulnerabilities: Prioritized according to our security roadmap

We follow a coordinated disclosure process:

  • We request that you do not disclose the vulnerability publicly until we have had a chance to address it
  • Once a vulnerability is fixed, we will work with you to determine an appropriate disclosure timeline
  • We typically allow public disclosure 90 days after a fix has been deployed
  • We will acknowledge your contribution in our Hall of Fame and in any public disclosure

For testing our marketplace integrations:

  • WordPress/WooCommerce: We recommend setting up a local WordPress installation and installing our plugin from the WordPress repository
  • WHMCS: You can use the WHMCS demo environment with our module
  • WISECP: Contact us at [email protected] for access to a test environment

Documentation for all integrations is available at docs.sensfrx.ai/integrations .

Ready to Start Hunting?

Join our community of security researchers and help us build a more secure Sensfrx platform

Submit Your First Bug Program Questions

Have questions about our program? Contact us at [email protected]