Security at Olark
We at Olark want all our customers to feel secure. In the interests of self-improvement and customer security, this page has our latest full-disclosure policy.
If you are a current customer
If you feel your account might have been compromised, or if there is an unexplained charge from us, absolutely do not hesitate to contact us through our chat box.
We will work with you to get the problem solved as quickly as possible, and get you back to making your customers happy!
If you are a professional security researcher
We sincerely thank you for your help, and will happily offer a bounty for submissions of security bugs under the following criteria:
- The bug is an application vulnerability (database injection, XSS, session hijacking, remote code execution and so forth) in our main website, the JavaScript chat box, our API, Olark Chat, or one of our other core services.
- The bug does not depend on any part of the Olark product being in a particular 3rd-party environment. In particular, we are not responsible for vulnerabilities on the sites of any of our customers that may happen to use Olark, unless those vulnerabilities might affect other Olark users or our main site.
- The bug's effects are not limited only to browser/version combinations that cannot be conceivably called modern in any way--we're looking at you, IE6/7.
- You are the original source of the bug through your own research, and you are the first person to report the particular vulnerability to us.
- You have given/are giving us a reasonable amount of time to act upon the disclosure before disclosing it to any other organization, or to the public.
- You are not a minor, nor are you on any list of people we are not legally allowed to do business with.
There are some caveats to the above. To wit:
- Please do not test our capacity, or for Denial of Service or similar exploits.
- Please do all testing on your own account, and not to any other customers. Also, please make the effort not to destroy any data/defraud anyone/set any puppies on fire. We respect the privacy and safety of the people using our service, and hope you feel the same way.
- Please do not run any automated exploit scanners without a limited scope. This generates spam for us, and is annoying, and will likely cover a lot of ground that has already been tread.
- Please submit the reproduction as plain text, or as POCs in standard image or video formats (gif, png, mp4, and similar). Submissions received in various rich text formats (docx, pdf) will be asked to resubmit in plain text.
- We reserve the right to refuse or grant awards solely at our discretion, and to modify or cancel this policy at any time with no prior notice. We'll try not to be mean about it, though.
- We leave any tax implications or legal standing in your own country to be entirely your own responsibility.
- XSS attacks that require user submission ("reflective" XSS, as opposed to "stored" XSS) are not eligible for a bounty, but can still receive recognition here and a t-shirt if the attack is novel.
- Vulnerabilities that result from code managed by any third-party partner we use in the operation of our product is not eligible for a monetary reward. However, we will provide contact information if you wish to attempt a Responsible Disclosure submission to that partner directly, and your submission may still be eligible for a listing on the Hall of Fame and swag.
How to disclose an issue
Submit your finding to security@olark.com (pgp, but please note the current (as of 2018-05-15) vulnerability mentioned here)
Please include:
- A summary of the problem
- A proof-of-concept or a stepwise breakdown
- How to identify you for attribution on this page.
We're not an Internet giant, but will happily award between $100-$300 for critical disclosures, and may award more at our discretion. We will also list you here in the Special Thanks session, send you a free awesome t-shirt, and buy you a beer (or similar beverage) if we ever run into you in person.
Please note that we are not a huge company, and all of our engineers have many responsibilities in addition to keeping our product secure. Since that is the case, there may be a lag in responses from us, and there may be some time between submission and the patching of the vulnerability. We're sorry if you bump into either of these things, but promise that we will eventually evaluate and respond to your submissions.
Special Thanks
Following are all the people who have participated in our responsible disclosure program, and to them we extend our heartfelt thanks.
2023
2022
- Mustafa Jamal
- Faizan Ahmad Wani
- Yash Devkate (rootxyash)
2021
2020
- Sachin Birendra Pandey (@SachinP01470613, LinkedIn)
- Pal Patel
- Indira Sabeesh
- Raj Shinde
2019
- MLM Software
- Ratnadip Gajbhiye
- Rayen Messaoudi
- Prabhjot Dunglay
- Sameer Phad @sameerphad72
- Sree Visakh Jain
- Muhammad Aurangzaib @z41b1337
- Cyborg Wayne
2018
- Bryan Galao
- @missoum1307
- Amal Mohandas
- Kaushik Sardar
2017
- Ankit Singh
- Gareth Heyes
- Eusebiu Blindu @testalways
- Nikhil @niksthehacker
- Angkan Chanda (n1ghtcr4wl3r) https://nightcr4wl3r.blogspot.com
2016
- Anirudh Anand
- Yogesh Modi
- Ahmed Jerbi
- Zawad Bin Hafiz @thezawad
- Roei Sherman
- Shailesh Suthar @shailesh4594
- Frans Rosén
- The creator of certifications.fyi
- Diogo Real @c0rtePentest
- Bernardo Ariel Díaz @bada_77
2015
- Frans Rosén
- Abdul Haq Khokhar
- Ivan Ivanovich
- Avram Marius Gabriel
- Muhammad Hassaan Khan
- Prayas Kulshrestha
- Fredrik Nordberg Almroth
- Bogdan Calin
- Romin Farajpour Cami @MF4rr3ll
- Shivam Kumar Agarwal
- Nithish M. Varghese
- Jaidip Kotak @JaidipKotak
- Sree Visakh Jain
- Pratik Panchal Infobit Technologies
- Milan Solanski
- Cyber Warrior Bug Researchers
- Raghav Bisht
2014
- José Luís Zayas Banderas www.axarnet.es
- Issam Rabhi @issam_rabhi
- Anand Sundar Tiwari @anandtiwarics
- Suhas Gaikwad
- Rishiraj Sharma @ehrishiraj
- HariKrishna Valugonda @vhssunny1
- Ravikumar Paghdal @_RaviRamesh
- Nitesh Shilpkar
- Mahadev Subedi, bootstrapic.com
- Akhil Reni @akhil_Reni
- Christy Philip Mathew @christypriory
- Deepanker Chawla
- Robin Puri
- Manish Bhattacharya @umenmactech
- Frans Rosén
- Thalaivar Subu
- Luke Francl
- Amaresh Pattanayak (C-Dac, Knowledge Park, Bangalore)
- karthickumar.k
- Sachin Thakuri
- Hammad Mahmood
- Osama Mahmood
- prashanth varma
- Jakub Żoczek
- Jigar Thakkar, Infobit @jigarthakkar39
2013
- Muhammad Mujtaba @mushti
- Muhammad Waqar @MuhammadWaqar_9
- Ravikumar Paghdal @_RaviRamesh
- Harsha Vardhan Boppana @hvboppana
- Frans Rosén
- Yaroslav Olejnik - O.J.A.
- Vinod Tiwari @war_crack
- Javid Hussain @javidhussain21
- Kamil Sevi @kamilsevi
- Christy Philip Mathew @christypriory
- Ehraz Ahmed @securityexe
- Siddhesh Gawde
- Umraz Ahmed @umrazahmed
- Denis Kolegov @dnkolegov
- Sergey Markov
- Nitesh Shilpkar
- P.B. Surya Subhash @pbssubhash
- Jon, Bitquark Security Research
- Mathias Karlsson
- Rafael Pablos
- Vinesh N. Redkar @b0rn2pwn
- Saurabh Chandrakant Nemade @SaurabhNemade
- Paul Seekamp
- Jigar Thakkar, Infobit @jigarthakkar39
- Tejash Patel @tejash1991
- Vinod R. Kurup @apwbd007
- Devesh Bhatt @deveshbhatt11
- Jakub Żoczek
- Mateusz Goik, AliantSoft
- Abdelhamid ABOULOUAFA @_ham1d
- Hassan El Hadary
- Jayvardhan Singh @Silent_Screamr
- Simon Bräuer @redshark1802
- Mayank Kapoor, HacKerDesk @wHys0serious
- Gurjant Singh, HacKerDesk @GurjantSadhra
- Michiel Prins, HackerOne @michielprins
- Muhammad Shahmeer, Maads Security @Shahmeer_Amir