Vulnerability Disclosure and Reward Program

Help us make Missive safer!

We encourage responsible reports of vulnerabilities found in our websites and apps. We kindly ask that you not publicly disclose any information regarding vulnerabilities until we fix them. Rewards are offered at our discretion based on how critical each vulnerability is.

To report vulnerabilities, contact us at security@missiveapp.com with a detailed description to help us understand and fix the vulnerability as quickly as possible.

Our security.txt can be found here.

Out-of-scope exclusions

The following vulnerability classes are excluded from the program. No reward will be offered for reports related to these.

  • DMARC, SPF and DKIM email policy on Missive domains
  • EXIF metadata not stripped from uploaded images
  • Lack of DNSSEC
  • “Stored XSS” on non-authenticated hosts that serve user-uploaded files (ie. CDN)
  • Password reset link not invalidated upon requesting a new one

Last updated on September 22, 2020.