W I T I V I O
Request a demo

Bug Bounty

Learn more about our Bug Bounty Policy

This program enables to submit vulnerabilities or bugs to Witivio and provide a chance to win awards in amounts.

Overview

This program enables users to submit vulnerabilities to Witivio on products within the scope of the program (See “Scope” chapter). These submissions provide a chance to win awards in amounts to be determined by Witivio in its own discretion. Witivio may change or cancel this Program at any time and for any reason.

Similarly, these conditions may change at any time and will become applicable upon publication of the new version. By participating in the program, you automatically agree to the applicable terms and conditions.

Scope

The scope is limited to:

  • witivio.com and all associated sub-domains.
  • gpt-pro.com and all associated sub-domains.
  • teams-pro.com and all associated sub-domains.

What is not allowed:

  • Social engineering attacks against our customers or staff;
  • Attack on the service availability (Ex. Denial Of Service or spam);
  • Data modification;
  • Disclosure of data and details of vulnerabilities without our consent.

What will not be rewarded:

  • Vulnerabilities related to a TLS configuration weakness ;
  • Submission relating to non-compliance with “best practices” (ex. missing security headers) ;
  • Submission relating to DNS configurations ;
  • Network level Denial Of Service attacks ;
  • Self XSS ;
  • Report coming from a scanner without further explanation or POC ;
  • Login, logout, unauthenticated or low-value CSRF ;
  • Man-in-the-Middle attacks ;
  • Non exploitable vulnerability ;
  • Vulnerabilities related to rate limit.

Witivio employees or former employees who left the company less than a year ago are not eligible for a reward. Likewise, the close entourage of employees is not eligible for a reward.

Submission and disclosure process

If you think you’ve found a vulnerability in the scope described above, please send it to : dpo@Witivio.com.

The submission must contain:

  • Scope (URL affected) ;
  • Type of vulnerability ;
  • Estimated severity ;
  • Description of the impact ;
  • Step to reproduce ;
  • Ways to exploit with a valid POC ;
  • A way to correct.
  • A partial submission will not be eligible for a reward.

We will acknowledge receipt of the submission within 7 days. If this is not the case, please send a reminder to dpo@Witivio.com. We cannot be held responsible for an email that did not reach us.

After the reception, we will study the eligibility of the vulnerability. The time may vary depending on the type of vulnerability.

Eligibility is entirely at our discretion and will not be subject to appeal.

If a vulnerability is raised by multiple people, only the first one raised will be eligible for a reward, the others will be classified as “duplicate”.

Reported vulnerabilities must not be disclosed publicly unless expressly authorized by Witivio. In case of publication without this agreement, no reward will be given and legal proceedings may be initiated.

Rewards

If a vulnerability is submitted in compliance with the previously defined clauses, a reward is possible.

For all payments, an invoice is required.

The invoice must be made out to Witivio, 16A Rue de Sélestat, 68000 Colmar, France, and include all the requisite information as detailed below, including your name, address, RIB, and VAT number (if applicable), as well as a short description of service.

Payments are made via bank transfer via IBAN only, it will be made only if the bank details have been transmitted.

Payment is made within 30 days after validation and provision of the invoice.