[{"id":3774346,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* 8x8 Work for Desktop: https://support-portal.8x8.com/helpcenter/viewArticle.html?d=8bff4970-6fbf-4daf-842d-8ae9b533153d\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\nOpen source repositories that support [Jitsi](https://github.com/jitsi/).\nJitsi Meet offers free, secure and open-source video conferencing.\n⚠️ Good faith review of source that a reporter must have no association with the existence of the vulnerability in question.\n\n**Proof of Concept Requirements:**\n⚠️ Vulnerability submissions must include practical exploitation demonstrations on one of the following environments\n▶︎ The public Jitsi Meet instance ([meet.jit.si](https://meet.jit.si/))\n▶︎ 8x8 Video Meetings platform ([8x8.vc](https://8x8.vc/))\n▶︎ A self-hosted Jitsi deployment\n\n⚠️ For E2EE submissions please consult the [Jitsi End-to-End Encryption Whitepaper](https://jitsi.org/e2ee-whitepaper/) to better understand the implemented Threat Model.\n\n**Code Review Reports:**\n⚠️ Code-only vulnerabilities without proof of exploitation in production environments will typically be assessed at a lower severity level\n⚠️ Vulnerabilities requiring local access to exploit will be assessed at a lower severity level (unless exceptional circumstances exist)\n⚠️ Vulnerabilities exploitable only with development configurations (e.g., `BYPASS_AUTHORIZATION=1`) will be assessed at a lower severity level\n\n**Out of Scope:**\n▶︎ Not actively maintained or archived repositories\n▶︎ Experimental repositories\n▶︎ Reports for repositories that are forked should be submitted upstream, unless the report also affects one of our in-scope repos\n▶︎ [github.com/jitsi/jitsi-call-analytics](https://github.com/jitsi/jitsi-call-analytics)\n▶︎ [github.com/jitsi/jitsi](https://github.com/jitsi/jitsi/)\n[Jitsi Desktop](https://github.com/jitsi/jitsi/) is the heritage of [Jitsi Meet](https://github.com/jitsi/jitsi-meet). While some components are still used in e.g.  Jigasi, the project is not actively developed anymore. Improvements, bugfixes and builds are entirely based on community contributions\n▶︎ [.github](https://github.com/jitsi/.github)\n▶︎ [cla-enforcer](https://github.com/jitsi/cla-enforcer)\n▶︎ [eslint-config-jitsi](https://github.com/jitsi/eslint-config-jitsi)\n▶︎ [excalidraw](https://github.com/jitsi/excalidraw)\n▶︎ [excalidraw-backend](https://github.com/jitsi/excalidraw-backend)\n▶︎ [felix](https://github.com/jitsi/felix)\n▶︎ [fmj](https://github.com/jitsi/fmj)\n▶︎ [go-offline-maven-plugin](https://github.com/jitsi/go-offline-maven-plugin)\n▶︎ [growl4j](https://github.com/jitsi/growl4j)\n▶︎ [gsoc-ideas](https://github.com/jitsi/gsoc-ideas)\n▶︎ [irc-api](https://github.com/jitsi/irc-api)\n▶︎ [jebml](https://github.com/jitsi/jebml)\n▶︎ [jitsi-desktop-site](https://github.com/jitsi/jitsi-desktop-site)\n▶︎ [jitsi-maven-repository](https://github.com/jitsi/jitsi-maven-repository)\n▶︎ [jitsi-meet-file-sharing-service](https://github.com/jitsi/jitsi-meet-file-sharing-service)\n▶︎ [jitsi-meet-load-test](https://github.com/jitsi/jitsi-meet-load-test)\n▶︎ [jitsi-meet-logger](https://github.com/jitsi/jitsi-meet-logger)\n▶︎ [jitsi-meet-react-sdk](https://github.com/jitsi/jitsi-meet-react-sdk)\n▶︎ [jitsi-meet-release-notes](https://github.com/jitsi/jitsi-meet-release-notes)\n▶︎ [jitsi-meet-torture](https://github.com/jitsi/jitsi-meet-torture)\n▶︎ [jitsi-pseudotcp](https://github.com/jitsi/jitsi-pseudotcp)\n▶︎ [jitsi-test-lab](https://github.com/jitsi/jitsi-test-lab)\n▶︎ [jitsi-videobridge-openfire-plugin](https://github.com/jitsi/jitsi-videobridge-openfire-plugin)\n▶︎ [jiwer](https://github.com/jitsi/jiwer)\n▶︎ [jsocks](https://github.com/jitsi/jsocks)\n▶︎ [jvb-dashboard](https://github.com/jitsi/jvb-dashboard)\n▶︎ [jxs](https://github.com/jitsi/jxs)\n▶︎ [otr4j](https://github.com/jitsi/otr4j)\n▶︎ [portaudio](https://github.com/jitsi/portaudio)\n▶︎ [security-advisories](https://github.com/jitsi/security-advisories)\n▶︎ [Smack](https://github.com/jitsi/Smack)\n▶︎ [testrtc](https://github.com/jitsi/testrtc)\n▶︎ [winrt-libs](https://github.com/jitsi/winrt-libs)\n▶︎ [zrtp4j](https://github.com/jitsi/zrtp4j)\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, sms.us.8x8.com, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support-portal.8x8.com/viewArticle.html?d=76af47f6-a987-4c2a-a0a2-53d87a79023d\u0026q=x-series-technical-requirements\u0026hl=en\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Callroute (2026)\n* Maven Lab (2026)\n* In2Tel (2025)\n* Fuze (2022)\n* Wavecell (2019)\n* Jitsi (2018)\n* Quality Software Corp. (QSC) (2015)\n* MarianaIQ (2015)\n* DXI (2015)\n* Voicenet (2013)\n* Contactual (2011)\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions\n\n### Testing Conduct\nPlease do not:\n* Conduct automated or high-volume testing without prior coordination\n* Perform any activity that could disrupt our service (DoS/DDoS)\n* Send spam or unsolicited communications\n* Engage in social engineering or phishing of 8x8 staff or contractors\n* Make physical attempts against 8x8 property or data centers\n\n### Mobile-Specific Exclusions\n* Findings requiring a malicious or attacker-controlled application installed on the victim's device\n* Same-device cross-application attacks via Android intents, activities, services, broadcast receivers, content providers, IPC mechanisms, overlays, or accessibility features\n* Task hijacking (StrandHogg) vulnerabilities\n* Insecure data storage on rooted or jailbroken devices\n* Issues requiring local code execution in the context of another application\n\n### Common Low-Impact Issues\n* Missing security headers (HSTS, CSP, SPF, DMARC, X-Frame-Options, etc.)\n* Missing cookie flags (Secure, HttpOnly, SameSite) without demonstrated exploit\n* SSL/TLS configuration issues (weak ciphers, key size, deprecated protocols, BEAST, CRIME)\n* Software version disclosure, banner identification, or descriptive error messages\n* Clickjacking on non-sensitive pages\n* Self-XSS without further security impact\n* CSRF on unauthenticated forms or forms with no sensitive action\n* CSV injection without demonstrated impact\n* Tab-nabbing\n\n### Authentication \u0026 Access Control\n* Credential stuffing attacks (users are responsible for password uniqueness and enabling MFA)\n* Rate limiting or brute force issues without demonstrated account compromise\n* Issues requiring MITM or physical access to a user's device\n\n### Dependencies \u0026 Browsers\n* Vulnerable libraries or dependencies without a demonstrated Proof of Concept showing exploitability in our application context\n* Issues only affecting outdated browsers (more than 2 stable versions behind current release)\n\n### Disclosure Timing\n* Public zero-day vulnerabilities patched less than 1 month ago (evaluated case-by-case)\n\n### Scanner Findings\n* Low-severity issues reported by automated scanners without demonstrated security impact or exploitation path\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\n## What other researchers are saying …\n* \u003e *Lightning fast as always, wish all programs were like this!*\n* \u003e *8x8 is the best bug bounty program on HackerOne by far.*\n* \u003e *Best Program Team!*\n* \u003e *Thank you for being one of the fastest response triager as well as super transparent, someone that works with hackers just like a collaboration.*\n* \u003e *That was the fastest triage ever I think.*\n* \u003e *This is the fastest program to date. Not only is the response time is insane, but also the way your security team works with researchers is awesome. Totally love the fact that you guys are putting security as your top priority.*\n* \u003e *The fastest response I've seen in hackerone history, also on the weekend*\n* \u003e *That must be been the fastest fix I've ever seen! \u003c24h from report to remediation, love to see it.*\n\n\n**Thank you for helping keep 8x8 and our users safe!**\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}","{\"category\":\"Credential Stuffing\",\"details\":\"🚨 Testing of customer credentials is strictly prohibited.\\n\\nWe strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"Client-Side API Keys\",\"details\":\"Certain API keys (such as Google Maps, Analytics Services, …) are intentionally accessible to the end client. The only submissions which will be accepted have to show both how a key can be abused and how handling of the client key can be improved.\"}"],"timestamp":"2026-05-16T04:23:39.746Z"},{"id":3772670,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* 8x8 Work for Desktop: https://support-portal.8x8.com/helpcenter/viewArticle.html?d=8bff4970-6fbf-4daf-842d-8ae9b533153d\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\nOpen source repositories that support [Jitsi](https://github.com/jitsi/).\nJitsi Meet offers free, secure and open-source video conferencing.\n⚠️ Good faith review of source that a reporter must have no association with the existence of the vulnerability in question.\n\n**Proof of Concept Requirements:**\n⚠️ Vulnerability submissions must include practical exploitation demonstrations on one of the following environments\n▶︎ The public Jitsi Meet instance ([meet.jit.si](https://meet.jit.si/))\n▶︎ 8x8 Video Meetings platform ([8x8.vc](https://8x8.vc/))\n▶︎ A self-hosted Jitsi deployment\n\n⚠️ For E2EE submissions please consult the [Jitsi End-to-End Encryption Whitepaper](https://jitsi.org/e2ee-whitepaper/) to better understand the implemented Threat Model.\n\n**Code Review Reports:**\n⚠️ Code-only vulnerabilities without proof of exploitation in production environments will typically be assessed at a lower severity level\n⚠️ Vulnerabilities requiring local access to exploit will be assessed at a lower severity level (unless exceptional circumstances exist)\n⚠️ Vulnerabilities exploitable only with development configurations (e.g., `BYPASS_AUTHORIZATION=1`) will be assessed at a lower severity level\n\n**Out of Scope:**\n▶︎ Not actively maintained or archived repositories\n▶︎ Experimental repositories\n▶︎ Reports for repositories that are forked should be submitted upstream, unless the report also affects one of our in-scope repos\n▶︎ [github.com/jitsi/jitsi-call-analytics](https://github.com/jitsi/jitsi-call-analytics)\n▶︎ [github.com/jitsi/jitsi](https://github.com/jitsi/jitsi/)\n[Jitsi Desktop](https://github.com/jitsi/jitsi/) is the heritage of [Jitsi Meet](https://github.com/jitsi/jitsi-meet). While some components are still used in e.g.  Jigasi, the project is not actively developed anymore. Improvements, bugfixes and builds are entirely based on community contributions\n▶︎ [.github](https://github.com/jitsi/.github)\n▶︎ [cla-enforcer](https://github.com/jitsi/cla-enforcer)\n▶︎ [eslint-config-jitsi](https://github.com/jitsi/eslint-config-jitsi)\n▶︎ [excalidraw](https://github.com/jitsi/excalidraw)\n▶︎ [excalidraw-backend](https://github.com/jitsi/excalidraw-backend)\n▶︎ [felix](https://github.com/jitsi/felix)\n▶︎ [fmj](https://github.com/jitsi/fmj)\n▶︎ [go-offline-maven-plugin](https://github.com/jitsi/go-offline-maven-plugin)\n▶︎ [growl4j](https://github.com/jitsi/growl4j)\n▶︎ [gsoc-ideas](https://github.com/jitsi/gsoc-ideas)\n▶︎ [irc-api](https://github.com/jitsi/irc-api)\n▶︎ [jebml](https://github.com/jitsi/jebml)\n▶︎ [jitsi-desktop-site](https://github.com/jitsi/jitsi-desktop-site)\n▶︎ [jitsi-maven-repository](https://github.com/jitsi/jitsi-maven-repository)\n▶︎ [jitsi-meet-file-sharing-service](https://github.com/jitsi/jitsi-meet-file-sharing-service)\n▶︎ [jitsi-meet-load-test](https://github.com/jitsi/jitsi-meet-load-test)\n▶︎ [jitsi-meet-logger](https://github.com/jitsi/jitsi-meet-logger)\n▶︎ [jitsi-meet-react-sdk](https://github.com/jitsi/jitsi-meet-react-sdk)\n▶︎ [jitsi-meet-release-notes](https://github.com/jitsi/jitsi-meet-release-notes)\n▶︎ [jitsi-meet-torture](https://github.com/jitsi/jitsi-meet-torture)\n▶︎ [jitsi-pseudotcp](https://github.com/jitsi/jitsi-pseudotcp)\n▶︎ [jitsi-test-lab](https://github.com/jitsi/jitsi-test-lab)\n▶︎ [jitsi-videobridge-openfire-plugin](https://github.com/jitsi/jitsi-videobridge-openfire-plugin)\n▶︎ [jiwer](https://github.com/jitsi/jiwer)\n▶︎ [jsocks](https://github.com/jitsi/jsocks)\n▶︎ [jvb-dashboard](https://github.com/jitsi/jvb-dashboard)\n▶︎ [jxs](https://github.com/jitsi/jxs)\n▶︎ [otr4j](https://github.com/jitsi/otr4j)\n▶︎ [portaudio](https://github.com/jitsi/portaudio)\n▶︎ [security-advisories](https://github.com/jitsi/security-advisories)\n▶︎ [Smack](https://github.com/jitsi/Smack)\n▶︎ [testrtc](https://github.com/jitsi/testrtc)\n▶︎ [winrt-libs](https://github.com/jitsi/winrt-libs)\n▶︎ [zrtp4j](https://github.com/jitsi/zrtp4j)\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, sms.us.8x8.com, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support-portal.8x8.com/viewArticle.html?d=76af47f6-a987-4c2a-a0a2-53d87a79023d\u0026q=x-series-technical-requirements\u0026hl=en\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Callroute (2026)\n* Maven Lab (2026)\n* In2Tel (2025)\n* Fuze (2022)\n* Wavecell (2019)\n* Jitsi (2018)\n* Quality Software Corp. (QSC) (2015)\n* MarianaIQ (2015)\n* DXI (2015)\n* Voicenet (2013)\n* Contactual (2011)\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\n## What other researchers are saying …\n* \u003e *Lightning fast as always, wish all programs were like this!*\n* \u003e *8x8 is the best bug bounty program on HackerOne by far.*\n* \u003e *Best Program Team!*\n* \u003e *Thank you for being one of the fastest response triager as well as super transparent, someone that works with hackers just like a collaboration.*\n* \u003e *That was the fastest triage ever I think.*\n* \u003e *This is the fastest program to date. Not only is the response time is insane, but also the way your security team works with researchers is awesome. Totally love the fact that you guys are putting security as your top priority.*\n* \u003e *The fastest response I've seen in hackerone history, also on the weekend*\n* \u003e *That must be been the fastest fix I've ever seen! \u003c24h from report to remediation, love to see it.*\n\n\n**Thank you for helping keep 8x8 and our users safe!**\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}","{\"category\":\"Credential Stuffing\",\"details\":\"🚨 Testing of customer credentials is strictly prohibited.\\n\\nWe strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"Client-Side API Keys\",\"details\":\"Certain API keys (such as Google Maps, Analytics Services, …) are intentionally accessible to the end client. The only submissions which will be accepted have to show both how a key can be abused and how handling of the client key can be improved.\"}"],"timestamp":"2026-04-16T01:30:10.894Z"},{"id":3772669,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* 8x8 Work for Desktop: https://support-portal.8x8.com/helpcenter/viewArticle.html?d=8bff4970-6fbf-4daf-842d-8ae9b533153d\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\nOpen source repositories that support [Jitsi](https://github.com/jitsi/).\nJitsi Meet offers free, secure and open-source video conferencing.\n⚠️ Good faith review of source that a reporter must have no association with the existence of the vulnerability in question.\n\n**Proof of Concept Requirements:**\n⚠️ Vulnerability submissions must include practical exploitation demonstrations on one of the following environments\n▶︎ The public Jitsi Meet instance ([meet.jit.si](https://meet.jit.si/))\n▶︎ 8x8 Video Meetings platform ([8x8.vc](https://8x8.vc/))\n▶︎ A self-hosted Jitsi deployment\n\n⚠️ For E2EE submissions please consult the [Jitsi End-to-End Encryption Whitepaper](https://jitsi.org/e2ee-whitepaper/) to better understand the implemented Threat Model.\n\n**Code Review Reports:**\n⚠️ Code-only vulnerabilities without proof of exploitation in production environments will typically be assessed at a lower severity level\n⚠️ Vulnerabilities requiring local access to exploit will be assessed at a lower severity level (unless exceptional circumstances exist)\n⚠️ Vulnerabilities exploitable only with development configurations (e.g., `BYPASS_AUTHORIZATION=1`) will be assessed at a lower severity level\n\n**Out of Scope:**\n▶︎ Not actively maintained or archived repositories\n▶︎ Experimental repositories\n▶︎ Reports for repositories that are forked should be submitted upstream, unless the report also affects one of our in-scope repos\n▶︎ [github.com/jitsi/jitsi-call-analytics](https://github.com/jitsi/jitsi-call-analytics)\n▶︎ [github.com/jitsi/jitsi](https://github.com/jitsi/jitsi/)\n[Jitsi Desktop](https://github.com/jitsi/jitsi/) is the heritage of [Jitsi Meet](https://github.com/jitsi/jitsi-meet). While some components are still used in e.g.  Jigasi, the project is not actively developed anymore. Improvements, bugfixes and builds are entirely based on community contributions\n▶︎ [.github](https://github.com/jitsi/.github)\n▶︎ [cla-enforcer](https://github.com/jitsi/cla-enforcer)\n▶︎ [eslint-config-jitsi](https://github.com/jitsi/eslint-config-jitsi)\n▶︎ [excalidraw](https://github.com/jitsi/excalidraw)\n▶︎ [excalidraw-backend](https://github.com/jitsi/excalidraw-backend)\n▶︎ [felix](https://github.com/jitsi/felix)\n▶︎ [fmj](https://github.com/jitsi/fmj)\n▶︎ [go-offline-maven-plugin](https://github.com/jitsi/go-offline-maven-plugin)\n▶︎ [growl4j](https://github.com/jitsi/growl4j)\n▶︎ [gsoc-ideas](https://github.com/jitsi/gsoc-ideas)\n▶︎ [irc-api](https://github.com/jitsi/irc-api)\n▶︎ [jebml](https://github.com/jitsi/jebml)\n▶︎ [jitsi-desktop-site](https://github.com/jitsi/jitsi-desktop-site)\n▶︎ [jitsi-maven-repository](https://github.com/jitsi/jitsi-maven-repository)\n▶︎ [jitsi-meet-file-sharing-service](https://github.com/jitsi/jitsi-meet-file-sharing-service)\n▶︎ [jitsi-meet-load-test](https://github.com/jitsi/jitsi-meet-load-test)\n▶︎ [jitsi-meet-logger](https://github.com/jitsi/jitsi-meet-logger)\n▶︎ [jitsi-meet-react-sdk](https://github.com/jitsi/jitsi-meet-react-sdk)\n▶︎ [jitsi-meet-release-notes](https://github.com/jitsi/jitsi-meet-release-notes)\n▶︎ [jitsi-meet-torture](https://github.com/jitsi/jitsi-meet-torture)\n▶︎ [jitsi-pseudotcp](https://github.com/jitsi/jitsi-pseudotcp)\n▶︎ [jitsi-test-lab](https://github.com/jitsi/jitsi-test-lab)\n▶︎ [jitsi-videobridge-openfire-plugin](https://github.com/jitsi/jitsi-videobridge-openfire-plugin)\n▶︎ [jiwer](https://github.com/jitsi/jiwer)\n▶︎ [jsocks](https://github.com/jitsi/jsocks)\n▶︎ [jvb-dashboard](https://github.com/jitsi/jvb-dashboard)\n▶︎ [jxs](https://github.com/jitsi/jxs)\n▶︎ [otr4j](https://github.com/jitsi/otr4j)\n▶︎ [portaudio](https://github.com/jitsi/portaudio)\n▶︎ [security-advisories](https://github.com/jitsi/security-advisories)\n▶︎ [Smack](https://github.com/jitsi/Smack)\n▶︎ [testrtc](https://github.com/jitsi/testrtc)\n▶︎ [winrt-libs](https://github.com/jitsi/winrt-libs)\n▶︎ [zrtp4j](https://github.com/jitsi/zrtp4j)\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, sms.us.8x8.com, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support-portal.8x8.com/viewArticle.html?d=76af47f6-a987-4c2a-a0a2-53d87a79023d\u0026q=x-series-technical-requirements\u0026hl=en\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* In2Tel\n* Jitsi\n* SameRoom\n* Wavecell\n\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\n## What other researchers are saying …\n* \u003e *Lightning fast as always, wish all programs were like this!*\n* \u003e *8x8 is the best bug bounty program on HackerOne by far.*\n* \u003e *Best Program Team!*\n* \u003e *Thank you for being one of the fastest response triager as well as super transparent, someone that works with hackers just like a collaboration.*\n* \u003e *That was the fastest triage ever I think.*\n* \u003e *This is the fastest program to date. Not only is the response time is insane, but also the way your security team works with researchers is awesome. Totally love the fact that you guys are putting security as your top priority.*\n* \u003e *The fastest response I've seen in hackerone history, also on the weekend*\n* \u003e *That must be been the fastest fix I've ever seen! \u003c24h from report to remediation, love to see it.*\n\n\n**Thank you for helping keep 8x8 and our users safe!**\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}","{\"category\":\"Credential Stuffing\",\"details\":\"🚨 Testing of customer credentials is strictly prohibited.\\n\\nWe strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"Client-Side API Keys\",\"details\":\"Certain API keys (such as Google Maps, Analytics Services, …) are intentionally accessible to the end client. The only submissions which will be accepted have to show both how a key can be abused and how handling of the client key can be improved.\"}"],"timestamp":"2026-04-16T01:17:53.426Z"},{"id":3761029,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* 8x8 Work for Desktop: https://support-portal.8x8.com/helpcenter/viewArticle.html?d=8bff4970-6fbf-4daf-842d-8ae9b533153d\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, sms.us.8x8.com, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support-portal.8x8.com/viewArticle.html?d=76af47f6-a987-4c2a-a0a2-53d87a79023d\u0026q=x-series-technical-requirements\u0026hl=en\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* In2Tel\n* Jitsi\n* SameRoom\n* Wavecell\n\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\n## What other researchers are saying …\n* \u003e *Lightning fast as always, wish all programs were like this!*\n* \u003e *8x8 is the best bug bounty program on HackerOne by far.*\n* \u003e *Best Program Team!*\n* \u003e *Thank you for being one of the fastest response triager as well as super transparent, someone that works with hackers just like a collaboration.*\n* \u003e *That was the fastest triage ever I think.*\n* \u003e *This is the fastest program to date. Not only is the response time is insane, but also the way your security team works with researchers is awesome. Totally love the fact that you guys are putting security as your top priority.*\n* \u003e *The fastest response I've seen in hackerone history, also on the weekend*\n* \u003e *That must be been the fastest fix I've ever seen! \u003c24h from report to remediation, love to see it.*\n\n\n**Thank you for helping keep 8x8 and our users safe!**\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}","{\"category\":\"Credential Stuffing\",\"details\":\"🚨 Testing of customer credentials is strictly prohibited.\\n\\nWe strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"Client-Side API Keys\",\"details\":\"Certain API keys (such as Google Maps, Analytics Services, …) are intentionally accessible to the end client. The only submissions which will be accepted have to show both how a key can be abused and how handling of the client key can be improved.\"}"],"timestamp":"2025-08-12T15:38:12.568Z"},{"id":3761028,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* 8x8 Work for Desktop: https://support-portal.8x8.com/helpcenter/viewArticle.html?d=8bff4970-6fbf-4daf-842d-8ae9b533153d\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, sms.us.8x8.com, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support-portal.8x8.com/viewArticle.html?d=76af47f6-a987-4c2a-a0a2-53d87a79023d\u0026q=x-series-technical-requirements\u0026hl=en\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* In2Tel\n* Jitsi\n* SameRoom\n* Wavecell\n\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\n## What other researchers are saying …\n* \u003e *Lightning fast as always, wish all programs were like this!*\n* \u003e *8x8 is the best bug bounty program on HackerOne by far.*\n* \u003e *Best Program Team!*\n* \u003e *Thank you for being one of the fastest response triager as well as super transparent, someone that works with hackers just like a collaboration.*\n* \u003e *That was the fastest triage ever I think.*\n* \u003e *This is the fastest program to date. Not only is the response time is insane, but also the way your security team works with researchers is awesome. Totally love the fact that you guys are putting security as your top priority.*\n* \u003e *The fastest response I've seen in hackerone history, also on the weekend*\n* \u003e *That must be been the fastest fix I've ever seen! \u003c24h from report to remediation, love to see it.*\n\n\n**Thank you for helping keep 8x8 and our users safe!**\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}","{\"category\":\"Credential Stuffing\",\"details\":\"🚨 Testing of customer credentials is strictly prohibited.\\n\\nWe strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"Client-Side API Keys\",\"details\":\"Certain API keys (such as Google Maps, Analytics Services, …) are intentionally accessible to the end client. The only submissions which will be accepted have to show *both* how a key can be abused *and* how handling of the client key can be improved.\"}"],"timestamp":"2025-08-12T15:37:25.627Z"},{"id":3750957,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* 8x8 Work for Desktop: https://support-portal.8x8.com/helpcenter/viewArticle.html?d=8bff4970-6fbf-4daf-842d-8ae9b533153d\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, sms.us.8x8.com, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support-portal.8x8.com/viewArticle.html?d=76af47f6-a987-4c2a-a0a2-53d87a79023d\u0026q=x-series-technical-requirements\u0026hl=en\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* In2Tel\n* Jitsi\n* SameRoom\n* Wavecell\n\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\n## What other researchers are saying …\n* \u003e *Lightning fast as always, wish all programs were like this!*\n* \u003e *8x8 is the best bug bounty program on HackerOne by far.*\n* \u003e *Best Program Team!*\n* \u003e *Thank you for being one of the fastest response triager as well as super transparent, someone that works with hackers just like a collaboration.*\n* \u003e *That was the fastest triage ever I think.*\n* \u003e *This is the fastest program to date. Not only is the response time is insane, but also the way your security team works with researchers is awesome. Totally love the fact that you guys are putting security as your top priority.*\n* \u003e *The fastest response I've seen in hackerone history, also on the weekend*\n* \u003e *That must be been the fastest fix I've ever seen! \u003c24h from report to remediation, love to see it.*\n\n\n**Thank you for helping keep 8x8 and our users safe!**\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}","{\"category\":\"Credential Stuffing\",\"details\":\"🚨 Testing of customer credentials is strictly prohibited.\\n\\nWe strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}"],"timestamp":"2025-02-27T01:19:08.277Z"},{"id":3750956,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* 8x8 Work for Desktop: https://support-portal.8x8.com/helpcenter/viewArticle.html?d=8bff4970-6fbf-4daf-842d-8ae9b533153d\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, sms.us.8x8.com, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support-portal.8x8.com/viewArticle.html?d=76af47f6-a987-4c2a-a0a2-53d87a79023d\u0026q=x-series-technical-requirements\u0026hl=en\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* Jitsi\n* SameRoom\n* Wavecell\n* In2Tel\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\n## What other researchers are saying …\n* \u003e *Lightning fast as always, wish all programs were like this!*\n* \u003e *8x8 is the best bug bounty program on HackerOne by far.*\n* \u003e *Best Program Team!*\n* \u003e *Thank you for being one of the fastest response triager as well as super transparent, someone that works with hackers just like a collaboration.*\n* \u003e *That was the fastest triage ever I think.*\n* \u003e *This is the fastest program to date. Not only is the response time is insane, but also the way your security team works with researchers is awesome. Totally love the fact that you guys are putting security as your top priority.*\n* \u003e *The fastest response I've seen in hackerone history, also on the weekend*\n* \u003e *That must be been the fastest fix I've ever seen! \u003c24h from report to remediation, love to see it.*\n\n\n**Thank you for helping keep 8x8 and our users safe!**\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}","{\"category\":\"Credential Stuffing\",\"details\":\"🚨 Testing of customer credentials is strictly prohibited.\\n\\nWe strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}"],"timestamp":"2025-02-27T01:17:57.305Z"},{"id":3740073,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* 8x8 Work for Desktop: https://support-portal.8x8.com/helpcenter/viewArticle.html?d=8bff4970-6fbf-4daf-842d-8ae9b533153d\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support-portal.8x8.com/viewArticle.html?d=76af47f6-a987-4c2a-a0a2-53d87a79023d\u0026q=x-series-technical-requirements\u0026hl=en\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* Jitsi\n* SameRoom\n* Wavecell\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\n## What other researchers are saying …\n* \u003e *Lightning fast as always, wish all programs were like this!*\n* \u003e *8x8 is the best bug bounty program on HackerOne by far.*\n* \u003e *Best Program Team!*\n* \u003e *Thank you for being one of the fastest response triager as well as super transparent, someone that works with hackers just like a collaboration.*\n* \u003e *That was the fastest triage ever I think.*\n* \u003e *This is the fastest program to date. Not only is the response time is insane, but also the way your security team works with researchers is awesome. Totally love the fact that you guys are putting security as your top priority.*\n* \u003e *The fastest response I've seen in hackerone history, also on the weekend*\n* \u003e *That must be been the fastest fix I've ever seen! \u003c24h from report to remediation, love to see it.*\n\n\n**Thank you for helping keep 8x8 and our users safe!**\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}","{\"category\":\"Credential Stuffing\",\"details\":\"🚨 Testing of customer credentials is strictly prohibited.\\n\\nWe strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}"],"timestamp":"2024-09-22T16:40:07.969Z"},{"id":3739455,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* 8x8 Work for Desktop: https://support-portal.8x8.com/helpcenter/viewArticle.html?d=8bff4970-6fbf-4daf-842d-8ae9b533153d\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support-portal.8x8.com/viewArticle.html?d=76af47f6-a987-4c2a-a0a2-53d87a79023d\u0026q=x-series-technical-requirements\u0026hl=en\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* Jitsi\n* SameRoom\n* Wavecell\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\n## What other researchers are saying …\n* \u003e *Lightning fast as always, wish all programs were like this!*\n* \u003e *8x8 is the best bug bounty program on HackerOne by far.*\n* \u003e *Best Program Team!*\n* \u003e *Thank you for being one of the fastest response triager as well as super transparent, someone that works with hackers just like a collaboration.*\n* \u003e *That was the fastest triage ever I think.*\n* \u003e *This is the fastest program to date. Not only is the response time is insane, but also the way your security team works with researchers is awesome. Totally love the fact that you guys are putting security as your top priority.*\n* \u003e *The fastest response I've seen in hackerone history, also on the weekend*\n* \u003e *That must be been the fastest fix I've ever seen! \u003c24h from report to remediation, love to see it.*\n\n\n**Thank you for helping keep 8x8 and our users safe!**\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Credential Stuffing\",\"details\":\"Users must ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}"],"timestamp":"2024-09-17T01:12:09.709Z"},{"id":3739198,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* 8x8 Work for Desktop: https://support-portal.8x8.com/helpcenter/viewArticle.html?d=8bff4970-6fbf-4daf-842d-8ae9b533153d\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support.8x8.com/cloud-phone-service/voice/network-setup-voice/x-series-technical-requirements#IP_Ranges\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* Jitsi\n* SameRoom\n* Wavecell\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\n## What other researchers are saying …\n* \u003e *Lightning fast as always, wish all programs were like this!*\n* \u003e *8x8 is the best bug bounty program on HackerOne by far.*\n* \u003e *Best Program Team!*\n* \u003e *Thank you for being one of the fastest response triager as well as super transparent, someone that works with hackers just like a collaboration.*\n* \u003e *That was the fastest triage ever I think.*\n* \u003e *This is the fastest program to date. Not only is the response time is insane, but also the way your security team works with researchers is awesome. Totally love the fact that you guys are putting security as your top priority.*\n* \u003e *The fastest response I've seen in hackerone history, also on the weekend*\n* \u003e *That must be been the fastest fix I've ever seen! \u003c24h from report to remediation, love to see it.*\n\n\n**Thank you for helping keep 8x8 and our users safe!**\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Credential Stuffing\",\"details\":\"Users must ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}"],"timestamp":"2024-09-16T00:32:45.627Z"},{"id":3737785,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* 8x8 Work for Desktop: https://support-portal.8x8.com/helpcenter/viewArticle.html?d=8bff4970-6fbf-4daf-842d-8ae9b533153d\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support.8x8.com/cloud-phone-service/voice/network-setup-voice/x-series-technical-requirements#IP_Ranges\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* Jitsi\n* SameRoom\n* Wavecell\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Credential Stuffing\",\"details\":\"Users must ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}"],"timestamp":"2024-09-04T08:31:43.344Z"},{"id":3737665,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support.8x8.com/cloud-phone-service/voice/network-setup-voice/x-series-technical-requirements#IP_Ranges\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* Jitsi\n* SameRoom\n* Wavecell\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Credential Stuffing\",\"details\":\"Users must ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}"],"timestamp":"2024-09-03T03:43:42.801Z"},{"id":3737664,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://work.8x8.com/\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/\n⚠️ Product Assets:\n* Configuration Manager: vcc-*.8x8.com/CM/\n* 8x8 Agent Workspace: vcc-*.8x8.com/AGUI/\n* 8x8 Supervisor Workspace: https://superx.8x8.com/\n* 8x8 Analytics for Contact Center: analytics-*.8x8.com\n* 8x8 Quality Management: vcc-*.8x8.com/QM/\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n⚠️ Product Assets:\n* Infrastructure: *.jitsi.net\n* Infrastructure: *.jit.si\n* Source Code: https://github.com/jitsi\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* Web App: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n⚠️ Product Assets:\n* Web App:  https://connect.8x8.com/\n* 8x8 Communication APIs: sms.8x8.com, sms.8x8.uk, sms.8x8.id, chatapps.8x8.com, …\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support.8x8.com/cloud-phone-service/voice/network-setup-voice/x-series-technical-requirements#IP_Ranges\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* Jitsi\n* SameRoom\n* Wavecell\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Credential Stuffing\",\"details\":\"Users must ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}"],"timestamp":"2024-09-03T03:42:05.706Z"},{"id":3737663,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ Product Assets:\n* work.8x8.com\n* iOS App: https://apps.apple.com/us/app/8x8-work/id348177448\n* Android App: https://play.google.com/store/apps/details?id=org.vom8x8.sipua\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support.8x8.com/cloud-phone-service/voice/network-setup-voice/x-series-technical-requirements#IP_Ranges\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* Jitsi\n* SameRoom\n* Wavecell\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Credential Stuffing\",\"details\":\"Users must ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}"],"timestamp":"2024-09-03T02:57:07.812Z"},{"id":3737662,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| **8x8 Work** | All your essential business communications brought together in one simple app. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time.\n\n\n\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | \n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time. \n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise.\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | \n| ------------ | -------------------|\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |\n| ------------ | -------------------|\n⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/\n\n\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) \n\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | \n| ------------ | -------------------|\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support.8x8.com/cloud-phone-service/voice/network-setup-voice/x-series-technical-requirements#IP_Ranges\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* Jitsi\n* SameRoom\n* Wavecell\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Credential Stuffing\",\"details\":\"Users must ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}"],"timestamp":"2024-09-03T02:53:55.925Z"},{"id":3737647,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| 8x8 Product | Product Description | Testing Notes |\n| ------------ | ------------------- | --------------- |\n| **8x8 Work** | All your essential business communications brought together in one simple app. | ⚠️ Testing accounts or credentials are not being provided at this time.\n||||\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | ⚠️ Testing accounts or credentials are not being provided at this time. |\n||| ⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. |\n||||\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | ⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/|\n||||\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/|\n||||\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. | ⚠️ Self Sign-up is available: https://jaas.8x8.vc/|\n||| ⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) |\n||||\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | ⚠️ Self Sign-up is available: https://connect.8x8.com/|\n|||⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n||||\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support.8x8.com/cloud-phone-service/voice/network-setup-voice/x-series-technical-requirements#IP_Ranges\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* Jitsi\n* SameRoom\n* Wavecell\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Credential Stuffing\",\"details\":\"Users must ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}"],"timestamp":"2024-09-02T23:25:12.908Z"},{"id":3737592,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| 8x8 Product | Product Description | Testing Notes |\n| ------------ | ------------------- | --------------- |\n| **8x8 Work** | All your essential business communications brought together in one simple app. | ⚠️ Testing accounts or credentials are not being provided at this time.\n||||\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | ⚠️ Testing accounts or credentials are not being provided at this time. |\n||| ⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. |\n||||\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | ⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/|\n||||\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/|\n||||\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. | ⚠️ Self Sign-up is available: https://jaas.8x8.vc/|\n||| ⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) |\n||||\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | ⚠️ Self Sign-up is available: https://connect.8x8.com/|\n|||⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n||||\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization. Vulnerabilities disclosed under Responsible Disclosure assets will not be eligible for bounties.\n\n### \u0026nbsp; 8x8 IP Ranges \u0026 Domains\nhttps://support.8x8.com/cloud-phone-service/voice/network-setup-voice/x-series-technical-requirements#IP_Ranges\n \n### \u0026nbsp; 8x8 subsidiaries and acquisitions\n* Contactual\n* Fuze\n* DXI Ltd (ContactNow)\n* Jitsi\n* SameRoom\n* Wavecell\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Credential Stuffing\",\"details\":\"Users must ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}"],"timestamp":"2024-09-02T07:13:13.369Z"},{"id":3737591,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| 8x8 Product | Product Description | Testing Notes |\n| ------------ | ------------------- | --------------- |\n| **8x8 Work** | All your essential business communications brought together in one simple app. | ⚠️ Testing accounts or credentials are not being provided at this time.\n||||\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | ⚠️ Testing accounts or credentials are not being provided at this time. |\n||| ⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. |\n||||\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | ⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/|\n||||\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/|\n||||\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. | ⚠️ Self Sign-up is available: https://jaas.8x8.vc/|\n||| ⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) |\n||||\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | ⚠️ Self Sign-up is available: https://connect.8x8.com/|\n|||⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n||||\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n\n----\n\u0026nbsp;  \n\n## \u0026nbsp;  If You See Something, Say Something\nWe welcome and encourage any submissions that help identify potential security vulnerabilities or exposures affecting our organization.\nVulnerabilities disclosed under Responsible Disclosure will not be eligible for bounties.\n\n### 8x8 IP Ranges \u0026 Domains\nhttps://support.8x8.com/cloud-phone-service/voice/network-setup-voice/x-series-technical-requirements#IP_Ranges\n \n### 8x8 subsidiaries and acquisitions\nContactual\nFuze\nDXI Ltd (ContactNow)\nJitsi\nSameRoom\nWavecell\n\n----\n\u0026nbsp;  \n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tab-nabbing \n* Self XSS without further security impact\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Credential Stuffing\",\"details\":\"Users must ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"0-day vulnerabilities\",\"details\":\"Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\"}"],"timestamp":"2024-09-02T07:10:37.098Z"},{"id":3737576,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| 8x8 Product | Product Description | Testing Notes |\n| ------------ | ------------------- | --------------- |\n| **8x8 Work** | All your essential business communications brought together in one simple app. | ⚠️ Testing accounts or credentials are not being provided at this time.\n||||\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | ⚠️ Testing accounts or credentials are not being provided at this time. |\n||| ⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. |\n||||\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | ⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/|\n||||\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/|\n||||\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. | ⚠️ Self Sign-up is available: https://jaas.8x8.vc/|\n||| ⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) |\n||||\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | ⚠️ Self Sign-up is available: https://connect.8x8.com/|\n|||⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n||||\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Credential Stuffing\",\"details\":\"Users must ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}","{\"category\":\"IDORs with Unpredictable IDs\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}"],"timestamp":"2024-09-02T04:05:44.762Z"},{"id":3737575,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| 8x8 Product | Product Description | Testing Notes |\n| ------------ | ------------------- | --------------- |\n| **8x8 Work** | All your essential business communications brought together in one simple app. | ⚠️ Testing accounts or credentials are not being provided at this time.\n||||\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | ⚠️ Testing accounts or credentials are not being provided at this time. |\n||| ⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. |\n||||\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | ⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/|\n||||\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/|\n||||\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. | ⚠️ Self Sign-up is available: https://jaas.8x8.vc/|\n||| ⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) |\n||||\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | ⚠️ Self Sign-up is available: https://connect.8x8.com/|\n|||⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n||||\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"IDORs having unguessable/non-enumerable identifier\",\"details\":\"IDORs having unguessable/non-enumerable identifier are out of scope.\"}","{\"category\":\"Credential Stuffing\",\"details\":\"Users must ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services, and use multi-factor authentication when possible. Submissions related to Credential Stuffing are out of scope and will not be rewarded.\"}"],"timestamp":"2024-09-02T04:04:34.386Z"},{"id":3737574,"new_policy":"At 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Product Scope\n\n| 8x8 Product | Product Description | Testing Notes |\n| ------------ | ------------------- | --------------- |\n| **8x8 Work** | All your essential business communications brought together in one simple app. | ⚠️ Testing accounts or credentials are not being provided at this time.\n||||\n| **8x8 Virtual Contact Center** | A complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences. | ⚠️ Testing accounts or credentials are not being provided at this time. |\n||| ⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. |\n||||\n| **Jitsi** | Jitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. | ⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/|\n||||\n| **8x8 Video Conferencing** | The best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use. |⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/|\n||||\n| **Jitsi as a Service** | World's easiest way to add video meetings to your apps. | ⚠️ Self Sign-up is available: https://jaas.8x8.vc/|\n||| ⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding) |\n||||\n|** 8x8 Connect** | A multi-channel communication platform designed for businesses who want to work smart, not hard. | ⚠️ Self Sign-up is available: https://connect.8x8.com/|\n|||⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect) \n||||\n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-02T03:34:05.922Z"},{"id":3737541,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Work\nAll your essential business communications brought together in one simple app.\n\n⚠️ Testing accounts or credentials are not being provided at this time.\n\n## \u0026nbsp; 8x8 Virtual Contact Center\nA complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences.\n\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n## Jitsi\nJitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**.\n\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n## \u0026nbsp; 8x8 Video Conferencing\nThe best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use.\n\n⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/\n\n## Jitsi as a Service\nWorld's easiest way to add video meetings to your apps.\n\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding)\n\n## \u0026nbsp; 8x8 Connect\nA multi-channel communication platform designed for businesses who want to work smart, not hard.\n\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect)\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nThe [Gold Standard Safe Harbor](https://hackerone.com/8x8-bounty/safe_harbor) applies.\n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-02T02:16:18.020Z"},{"id":3732456,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Work\nAll your essential business communications brought together in one simple app.\n\n⚠️ Testing accounts or credentials are not being provided at this time.\n\n## \u0026nbsp; 8x8 Virtual Contact Center\nA complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences.\n\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n## Jitsi\nJitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**.\n\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n## \u0026nbsp; 8x8 Video Conferencing\nThe best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use.\n\n⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/\n\n## Jitsi as a Service\nWorld's easiest way to add video meetings to your apps.\n\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding)\n\n## \u0026nbsp; 8x8 Connect\nA multi-channel communication platform designed for businesses who want to work smart, not hard.\n\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect)\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-16T09:29:07.758Z"},{"id":3732455,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Work\nAll your essential business communications brought together in one simple app.\n\n⚠️ Testing accounts or credentials are not being provided at this time.\n\n## \u0026nbsp; 8x8 Virtual Contact Center\nA complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences.\n\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n## Jitsi\nJitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**.\n\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n## \u0026nbsp; 8x8 Video Conferencing\nThe best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use.\n\n⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/\n\n## Jitsi as a Service\nWorld's easiest way to add video meetings to your apps.\n\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding)\n\n## \u0026nbsp; 8x8 Connect\nA multi-channel communication platform designed for businesses who want to work smart, not hard.\n\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect)\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["PAYING_FOR_NEW_ZERO_DAYS"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-16T09:28:36.699Z"},{"id":3732000,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n## \u0026nbsp;  8x8 Work\nAll your essential business communications brought together in one simple app.\n\n⚠️ Testing accounts or credentials are not being provided at this time.\n\n## \u0026nbsp; 8x8 Virtual Contact Center\nA complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences.\n\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n⚠️  Additional Testing Information regarding \"Contact Center Agent Workspace\":\n* For the application to work properly behind a Proxy (e.g. BURP), an exception has to be added for `jabbind3.php`\n  * Proxy settings\n  * Search \"streaming\"\n  * Add `https://vcc-na1.8x8.com/agui/jabbind3.php` (e.g.) as \"Streaming responses\"\n  * {F3427433}\n\n## Jitsi\nJitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**.\n\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n## \u0026nbsp; 8x8 Video Conferencing\nThe best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use.\n\n⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/\n\n## Jitsi as a Service\nWorld's easiest way to add video meetings to your apps.\n\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding)\n\n## \u0026nbsp; 8x8 Connect\nA multi-channel communication platform designed for businesses who want to work smart, not hard.\n\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect)\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-11T01:44:02.203Z"},{"id":3731412,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n### \u0026nbsp;  8x8 Work\nAll your essential business communications brought together in one simple app.\n\n⚠️ Testing accounts or credentials are not being provided at this time.\n\n### \u0026nbsp; 8x8 Virtual Contact Center\nA complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences.\n\n⚠️ Testing accounts or credentials are not being provided at this time.\n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n### Jitsi\nJitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**.\n\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n### \u0026nbsp; 8x8 Video Conferencing\nThe best video conferencing solution for businesses of any size. Fully secure, reliable, packed with features and ridiculously simple to use.\n\n⚠️ Testing accounts or credentials are not being provided at this time: https://8x8.vc/\n\n### Jitsi as a Service\nWorld's easiest way to add video meetings to your apps.\n\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding)\n\n### \u0026nbsp; 8x8 Connect\nA multi-channel communication platform designed for businesses who want to work smart, not hard.\n\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect)\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-02T03:17:35.022Z"},{"id":3731411,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n### \u0026nbsp;  8x8 Work\nAll your essential business communications brought together in one simple app.\n\n⚠️ We are not currently providing accounts for testing.\n\n### \u0026nbsp; 8x8 Virtual Contact Center\nA complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences.\n\n⚠️ Credentials not currently provided.\n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n### Jitsi\nJitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**.\n\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n### Jitsi as a Service\nWorld's easiest way to add video meetings to your apps.\n\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding)\n\n### \u0026nbsp; 8x8 Connect\nA multi-channel communication platform designed for businesses who want to work smart, not hard.\n\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect)\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n## Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-02T03:09:44.659Z"},{"id":3731410,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n### \u0026nbsp;  8x8 Work\nAll your essential business communications brought together in one simple app.\n\n⚠️ We are not currently providing accounts for testing.\n\n### \u0026nbsp; 8x8 Virtual Contact Center\nA complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences.\n\n⚠️ Credentials not currently provided.\n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n### Jitsi\nJitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**.\n\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n### Jitsi as a Service\nWorld's easiest way to add video meetings to your apps.\n\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding)\n\n### \u0026nbsp; 8x8 Connect\nA multi-channel communication platform designed for businesses who want to work smart, not hard.\n\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect)\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Must Read\n### Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n### Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-02T03:07:18.604Z"},{"id":3731409,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n### \u0026nbsp;  8x8 Work\nAll your essential business communications brought together in one simple app.\n\n⚠️ We are not currently providing accounts for testing.\n\n### \u0026nbsp; 8x8 Virtual Contact Center\nA complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences.\n\n⚠️ Credentials not currently provided.\n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n### Jitsi\nJitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**.\n\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n### Communication APIs\nEngage customers at scale with SMS, voice, chat apps, and video APIs.\n\n#### Jitsi as a Service\nWorld's easiest way to add video meetings to your apps\n\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding)\n\n#### \u0026nbsp; 8x8 Connect\nA multi-channel communication platform designed for businesses who want to work smart, not hard.\n\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect)\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Must Read\n### Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n### Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-02T03:05:02.943Z"},{"id":3731408,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n### \u0026nbsp;  8x8 Work\nAll your essential business communications brought together in one simple app.\n⚠️ We are not currently providing accounts for testing.\n\n### \u0026nbsp; 8x8 Virtual Contact Center\nA complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences.\n⚠️ Credentials not currently provided.\n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n### Jitsi\nJitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**.\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n### Communication APIs\nEngage customers at scale with SMS, voice, chat apps, and video APIs.\n\n#### Jitsi as a Service\nWorld's easiest way to add video meetings to your apps\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding)\n\n#### \u0026nbsp; 8x8 Connect\nA multi-channel communication platform designed for businesses who want to work smart, not hard.\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect)\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Must Read\n### Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n### Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-02T03:03:10.423Z"},{"id":3731407,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n### \u0026nbsp;  8x8 Work\nAll your essential business communications brought together in one simple app.\n⚠️ We are not currently providing accounts for testing.\n\n### 8x8 Virtual Contact Center\nA complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences.\n⚠️ Credentials not currently provided.\n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n### Jitsi\nJitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**.\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n### Communication APIs\nEngage customers at scale with SMS, voice, chat apps, and video APIs.\n\n#### Jitsi as a Service\nWorld's easiest way to add video meetings to your apps\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding)\n\n#### 8x8 Connect\nA multi-channel communication platform designed for businesses who want to work smart, not hard.\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect)\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Must Read\n### Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n### Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-02T03:02:14.538Z"},{"id":3731406,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n### 8x8 Work\nAll your essential business communications brought together in one simple app.\n⚠️ We are not currently providing accounts for testing.\n\n### 8x8 Virtual Contact Center\nA complete, secure cloud contact center solution that makes it easy to collaborate with agents and improve customer experiences.\n⚠️ Credentials not currently provided.\n⚠️ We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n### Jitsi\nJitsi is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**.\n⚠️ Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n### Communication APIs\nEngage customers at scale with SMS, voice, chat apps, and video APIs.\n#### Jitsi as a Service\nWorld's easiest way to add video meetings to your apps\n⚠️ Self Sign-up is available: https://jaas.8x8.vc/\n⚠️ [JaaS developer portal](https://developer.8x8.com/jaas/docs/jaas-onboarding)\n#### 8x8 Connect\nA multi-channel communication platform designed for businesses who want to work smart, not hard.\n⚠️ Self Sign-up is available: https://connect.8x8.com/\n⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect)\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Must Read\n### Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n### Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-02T03:00:58.810Z"},{"id":3731405,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n**8x8 Work** - We are not currently providing accounts for testing.\n\n**8x8 Virtual Contact Center** - Credentials not currently provided. We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n**Jitsi** is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n----\n\u0026nbsp;  \n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Must Read\n### Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n### Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-02T02:42:24.178Z"},{"id":3731404,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n**8x8 Work** - We are not currently providing accounts for testing.\n\n**8x8 Virtual Contact Center** - Credentials not currently provided. We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n**Jitsi** is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Must Read\n### Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n### Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-02T02:41:57.731Z"},{"id":3731403,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n**8x8 Work** - We are not currently providing accounts for testing.\n\n**8x8 Virtual Contact Center** - Credentials not currently provided. We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n**Jitsi** is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n\n\u0026nbsp;  \n## Response Targets\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n## Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Must Read\n### Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n### Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-02T02:41:33.323Z"},{"id":3731402,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n**8x8 Work** - We are not currently providing accounts for testing.\n\n**8x8 Virtual Contact Center** - Credentials not currently provided. We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n**Jitsi** is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n\n\u0026nbsp;  \nResponse Targets\n==============\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n\u0026nbsp;  \nDisclosure Policy \n=============\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Must Read\n### Scope Exclusions \nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n### Target Specific Scope Exclusion - connect.8x8.com\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n### Testing Identification\n* Please utilize your [username]@wearehackerone.com alias when submitting information within the applications.\n* To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the following format appended to `User-Agent`:\n`X-HackerOne: [H1 username]`\n\n\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-02T02:39:34.916Z"},{"id":3699930,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n## Testing Identification\nPlease utilize your [username]@wearehackerone.com alias when submitting information within the applications. To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the format below appended to User-Agent:\n`X-HackerOne: [H1 username]`\n\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n**8x8 Work** - We are not currently providing accounts for testing.\n\n**8x8 Virtual Contact Center** - Credentials not currently provided. We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n**Jitsi** is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n\n\u0026nbsp;  \nResponse Targets\n==============\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n\u0026nbsp;  \nDisclosure Policy \n=============\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\u0026nbsp;\nExclusions \n========\nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n* Credential Stuffing:  It is the responsibility of our users to ensure the uniqueness and security of their credentials. We strongly advise our users not to reuse passwords from other platforms or services and to utilize multi-factor authentication whenever possible. Any submissions related to Credential Stuffing will be deemed out of scope and will not be rewarded.\n\n\u0026nbsp;\nTarget Specific Exclusion - connect.8x8.com\n-----------\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-15T16:21:06.366Z"},{"id":3686519,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n## Testing Identification\nPlease utilize your [username]@wearehackerone.com alias when submitting information within the applications. To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the format below appended to User-Agent:\n`X-HackerOne: [H1 username]`\n\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n**8x8 Work** - We are not currently providing accounts for testing.\n\n**8x8 Virtual Contact Center** - Credentials not currently provided. We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n**Jitsi** is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n\n\u0026nbsp;  \nResponse Targets\n==============\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n\u0026nbsp;  \nDisclosure Policy \n=============\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\u0026nbsp;\nExclusions \n========\nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n\n\u0026nbsp;\nTarget Specific Exclusion - connect.8x8.com\n-----------\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-24T18:09:11.909Z"},{"id":3685263,"new_policy":"********\n\u0026nbsp;\nCALLING ALL PHREAKS!\nAnnouncing *2X* bounty payout for all reports related to **SIP** or **Jabber** protocols.\n\n********\n\u0026nbsp;\n\n**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n## Testing Identification\nPlease utilize your [username]@wearehackerone.com alias when submitting information within the applications. To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the format below appended to User-Agent:\n`X-HackerOne: [H1 username]`\n\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n**8x8 Work** - We are not currently providing accounts for testing.\n\n**8x8 Virtual Contact Center** - Credentials not currently provided. We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n**Jitsi** is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n\n\u0026nbsp;  \nResponse Targets\n==============\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n\u0026nbsp;  \nDisclosure Policy \n=============\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\u0026nbsp;\nExclusions \n========\nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n\n\u0026nbsp;\nTarget Specific Exclusion - connect.8x8.com\n-----------\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-23T01:02:51.416Z"},{"id":3684259,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n## Testing Identification\nPlease utilize your [username]@wearehackerone.com alias when submitting information within the applications. To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the format below appended to User-Agent:\n`X-HackerOne: [H1 username]`\n\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n**8x8 Work** - We are not currently providing accounts for testing.\n\n**8x8 Virtual Contact Center** - Credentials not currently provided. We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n**Jitsi** is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n\n\u0026nbsp;  \nResponse Targets\n==============\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n\u0026nbsp;  \nDisclosure Policy \n=============\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\u0026nbsp;\nExclusions \n========\nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n\n\u0026nbsp;\nTarget Specific Exclusion - connect.8x8.com\n-----------\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-04T00:01:36.653Z"},{"id":3684257,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\n## Testing Identification\nPlease utilize your *@wearehackerone.com alias when submitting information within the applications. To help us identify and classify researcher traffic, 8x8 requests you to include your HackerOne username value to each and every HTTP request made by yourself or any tooling you use. Please use the format below appended to User-Agent:\n`X-HackerOne: [H1 username]`\n\n\n----\n\u0026nbsp;  \n\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n**8x8 Work** - We are not currently providing accounts for testing.\n\n**8x8 Virtual Contact Center** - Credentials not currently provided. We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n**Jitsi** is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n\n\u0026nbsp;  \nResponse Targets\n==============\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n\u0026nbsp;  \nDisclosure Policy \n=============\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\u0026nbsp;\nExclusions \n========\nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n\n\u0026nbsp;\nTarget Specific Exclusion - connect.8x8.com\n-----------\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-03T23:56:31.428Z"},{"id":3683074,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n \n**8x8 Work** - We are not currently providing accounts for testing however you can signup for our Express product with first month free. Please utilize your [username]@wearehackerone.com address when creating account. *After account creation you must go to the admin section and provision a phone number before it will be active for use within the 8x8 Work application.*\nhttps://www.8x8.com/products/express?signup=express\n\n**8x8 Virtual Contact Center** - Credentials not currently provided. We will accept one unique report for the application across all related domains as assumed single fix unless proven otherwise. \n\n**Jitsi** is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n\n\u0026nbsp;  \nResponse Targets\n==============\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n\u0026nbsp;  \nDisclosure Policy \n=============\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\u0026nbsp;\nExclusions \n========\nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n\n\u0026nbsp;\nTarget Specific Exclusion - connect.8x8.com\n-----------\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-06T22:33:49.913Z"},{"id":3683058,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n \n**8x8 Work** - We are not currently providing accounts for testing however you can signup for our Express product with first month free. Please utilize your [username]@wearehackerone.com address when creating account. *After account creation you must go to the admin section and provision a phone number before it will be active for use within the 8x8 Work application.*\nhttps://www.8x8.com/products/express?signup=express\n\n**8x8 Virtual Contact Center** - Credentials not currently provided. \n\n**Jitsi** is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n\n\u0026nbsp;  \nResponse Targets\n==============\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n\u0026nbsp;  \nDisclosure Policy \n=============\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\u0026nbsp;\nExclusions \n========\nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n\n\u0026nbsp;\nTarget Specific Exclusion - connect.8x8.com\n-----------\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-06T20:11:17.212Z"},{"id":3681735,"new_policy":"**Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined the scope of this program please submit via our [Responsible Disclosure Program](https://hackerone.com/8x8).**\n\nAt 8x8, we help companies get their employees, customers and applications talking to make people more connected and productive no matter where they are in the world. At 8x8 we value security and recognize the importance of ensuring the integrity and confidentiality of global communications.\n\n**8x8 Work** - We are not currently providing accounts for testing however you can signup for our Express product with first month free. Please utilize your [username]@wearehackerone.com address when creating account. *After account creation you must go to the admin section and provision a phone number before it will be active for use within the 8x8 Work application.*\nhttps://www.8x8.com/products/express?signup=express\n\n**Jitsi** is a world class open source video meeting solution. We strive to make a flexible and secure video meetings platform with the option of **end-to-end encryption (beta)**. Have a feature request or bug not related to security? Let us know or contribute yourself: https://github.com/jitsi/\n\n\n\n\u0026nbsp;  \nResponse Targets\n==============\n8x8 will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 2 business days\n\n\u0026nbsp;  \nDisclosure Policy \n=============\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Please do not discuss vulnerabilities outside of the program without proper coordination and express consent from 8x8.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder. Please notify us immediately if you encounter exposure of information.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\u0026nbsp;\nExclusions \n========\nWhile researching, we'd like to ask you to refrain from: \n* **Any form of automation**\n* Any activity that could lead to the disruption of our service (DoS)\n* Spamming \n* Social engineering (including phishing) of 8x8 staff or contractors\n* Any physical attempts against 8x8 property or data centers\n* Missing security headers (eg. HSTS, CSP, SPF, DMARC)\n* Missing flags on cookies\n* SSL issues (expired certs/weak ciphers/key-size/BEAST/CRIME)\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact\n* Clickjacking\n* Rate limiting or brute force issues\n* General low severity issues reported by automated scanners\n* Attacks requiring MITM or physical access to a user's device\n* Vulnerable libraries or dependencies absent a working **Proof of Concept**\n* Comma Separated Values (CSV) injection\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tab-nabbing \n\n\u0026nbsp;\nTarget Specific Exclusion - connect.8x8.com\n-----------\n1. IDORs having unguessable/non-enumerable identifier are out of scope\n    - IDORs in form of an UUID\n    - IDORs based on `AccountId` and `subAccountId`\n2. When testing support functionality please add \"HackerOne\" in your subject line and limit the number of requests to an absolute minimum.\n\n\u0026nbsp;  \nSafe Harbor \n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep 8x8 and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-09T04:23:04.630Z"}]