(Last updated December 11, 2023)

Reporting Vulnerabilities in the Order Desk Application

Our security team is committed to protecting our customers. As part of this commitment, we invite security researchers to help protect Order Desk and its users by proactively identifying security vulnerabilities via our bug bounty program. We work hard every day to maintain and improve our systems and processes to serve our customers better. However, should you find weaknesses in our application, we would appreciate you reporting them to us responsibly!

Program Rules

• Only target the Order Desk application at app.orderdesk.me. Reports regarding any other marketing website Order Desk owns will not be accepted for this bug bounty program.
• Don’t violate the privacy of our users, destroy any data or disrupt our services. Don’t be harmful when your aim is to help us secure our system better.
• Only target your own accounts in the process of investigating any bugs/findings. Don’t target, attempt to access, or otherwise disrupt the accounts of other users without the expressed permission of our team.
• Don’t target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
• In case you find a severe vulnerability that allows system access, you must not proceed further and instead report your findings directly to us.
• Please compile your findings. We receive many reports daily, so the fewer individual messages we need to go through, the more efficient the Bug Bounty Program will be.
• Order Desk has the final decision about when and how bugs should be addressed.
• All bug reports are confidential and are to remain between the reporter and Order Desk. Disclosing bugs to a third party is forbidden. Researchers must destroy all artifacts created to document vulnerabilities (PoC code, videos, screenshots) after the bug report is closed.
• Threats of any kind will result in the immediate disqualification and banning of the researcher.
• Exploiting or misusing a vulnerability for your own or others’ benefit will automatically disqualify the report.
• We will not accept automated scanner outputs. Order Desk periodically performs automated scans.
• Vulnerabilities that require a proxy for communication between Order Desk services and clients are not considered for this program.

How to Report a Bug

If you choose to, you can provide your IP address in the bug report. This is optional and will be kept private for tracking your testing activities and to review the logs from our side.

Once you have completed your audit of our systems and have findings to report that qualify for our bug bounty program please let us know by email at security@orderdesk.com. Please state your findings concisely in your email.

If you are planning of sending in multiple reports please send them all at the same time after you finished your audit.

Describe the issue you have found as explicitly and in as much detail as possible and provide any evidence you might have.

It is particularly helpful to include the following in your email:

• The type of vulnerability (please see below categories first)
• Steps taken to reproduce the bug
• Any related URLs
• Objects and elements involved (if applicable)
• Screenshots

We generally handle all reported issues within two weeks, but in some cases more investigation or mitigation is required. In this case you can reply to the same address as above to request the status of a report after this two weeks period. Contacting us through any other means may result in disqualification for our bug bounty program.

Bug bounty payouts are made through PayPal and the amount is non-negotiable.