Vulnerability Disclosure

Expectations

At all times, all relevant laws must be followed. When a security vulnerability is detected, a participating security researcher is expected to notify SoGoSurvey immediately following the process outlined below. Eligibility for a reward upon this notification is completely at the discretion of SoGoSurvey. Any concerns about the process or alignment with our rules may be directed to us at security@sogosurvey.com.

Program Rules & Legal Terms

• Eligibility to participate is limited to white hat hackers of a legal age and of sufficient technical proficiency to enable competent security research. Professionals from diverse industries and backgrounds (e.g., vulnerability researchers, pen testers, code auditors, enterprise security, etc.) are welcome.
• To be eligible, a vulnerability report must identify an original issue (not previously reported) and must be submitted promptly to security@sogosurvey.com based on the scope and process outlined in this policy. Any communication regarding this program should be through this email address.
• If an observed vulnerability leads to unintended or inappropriate access to data – especially critical information like PII, PHI, credit card details, or other proprietary data – the researcher must (a) limit access simply to gathering proof and (b) inform SoGoSurvey immediately through security@sogosurvey.com.
• An eligible researcher was not involved directly or indirectly in contributing the vulnerable code to the SoGoSurvey platform.
• An eligible researcher must avoid violating the privacy of SoGoSurvey and its users, interfering with our systems, destroying data, or harming the user experience.
• An eligible researcher is not an employee, contractor, or otherwise involved in any business relationship with SoGoSurvey or any of its concerns.
• An eligible researcher uses only their own accounts for security research purposes.
• An eligible researcher is not identified on any US sanctions list or living in a country (e.g., Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, Syria) on a US sanctions list.
• An eligible researcher may not exploit any security vulnerability for their own gain.
• An eligible researcher may not share details of a security vulnerability with any other party until the issue is resolved.
• An eligible researcher may not threaten or attempt to extort SoGoSurvey in any way.
• If SoGoSurvey identifies a majority of reports submitted by a specific security researcher as invalid, future reports from this researcher may not be accepted.
• A researcher who participates in SoGoSurvey’s Vulnerability Disclosure Program grants SoGoSurvey the right to make use of all reports and submissions.

Reporting Process

Once a vulnerability has been identified, a report should be sent promptly. The minimum requirements for this report are identified below.

• The report must be emailed directly to security@sogosurvey.com.
• The subject line of the email should use this format: Vulnerability Disclosure Report from [Your Name] – Date
• The report must contain the following:
• A detailed description of the location and nature of the vulnerability identified.
• The browser, operating system, and app version used in this research.
• Steps required to reproduce the reported vulnerability.
• Proof of the uncovered vulnerability (e.g., screenshot, video).
• Impact information including a list of URLs and affected parameters, additional payloads,
• Proof-of-Concept code, etc. 

Failure to adhere to the minimum requirements may result in the loss of a reward. All supporting evidence and other attachments must be stored only within the submitted report.

Scope & Exclusions

SoGoSurvey’s Vulnerability Disclosure Program applies to previously unreported security vulnerabilities found within SoGoSurvey’s Environment. This includes but is not limited to the SoGoSurvey website and platform, exposed APIs, and mobile applications.

High-priority eligible vulnerabilities:

• Can act as a threat to the user’s system and cause damage.
• Can directly or indirectly attack the confidentiality and/or integrity of user data.
• Can be launched using remote access.
• Can compromise the privacy of all types of data.
• Can compromise the platform’s integrity.
• Can lead to unauthorized access to data or resources and unauthorized running of a code.
• Can allow exclusive privileges or access beyond that intended.
• Can manipulate or bypass security controls or mechanisms.
• Can lead to further exploitation in the future.

Exclusions to this program:

• Any attempts to deny service.
• Any attempts to directly attack network or security infrastructure.
• Elements unrelated to a vulnerability, including missing HTTP-only or secure cookie flags, missing security headers, and SSL/TLS configurations.
• Any vulnerability caused by direct access to the victim’s device.
• Any use of click-jacking of pages or CSRF (Cross-Site Request Forgery) unrelated to a vulnerability.
• Any XSS (Cross-Site Scripting), content spoofing, or text injection that does not have any impact
on sensitive data.
• Any account or password recovery policies.
• Any active auto-complete attributes on web forms.
• Any brute force techniques such as username enumeration.
• Any configuration of email authentication including SPF, DKIM, DMARC, etc.
• Any impact due to outdated or unpatched browsers.

Rewards

Accepted submissions will be recognized on our website and may also be eligible for a gift card at the discretion of the SoGoSurvey management team.

Timelines

The process and scope outlined in this policy are designed to provide full clarity into this program. The following reference may be useful:

• A vulnerability report is received by email at security@sogosurvey.com.
• If the emailed report is incomplete, it may be returned to the sender for completion. Reports that do not follow the guidelines outlined in this policy will not be accepted.
• When a complete vulnerability report is received, our validation team may take up to 72 hours to review and verify the submission
• Following the review, the team will communicate the acceptance or provide another relevant response to the original submission.
• If the report is accepted, the management team will review the reward eligibility. Depending on required follow-up or clarification, this process may take more time.
• Based on the decision, the researcher will be notified.

We follow clear and transparent communication policies and will follow up with researchers in a timely manner as soon as any updates are available. If you have any questions or concerns, please contact our team at security@sogosurvey.com.