Confirmit Vulnerability Reporting Policy

This document gives general guidelines on finding and disclosing vulnerabilities regarding Confirmit's applications and services.

Services in scope

  • Main website:
  • SaaS sites: *, *, *, *, *
  • Applications distributed by Confirmit from our company webpages, Google Play and Apple AppStore

Services not in scope

  • Installations of Confirmit software on servers not operated by Confirmit.
  • Other sites which are not operated by Confirmit such as: and
  • Third party services used on,,,

Rules of engagement

Due to legal agreements with our clients, performing security scans on our SaaS environments is not permitted. We still welcome observations made through normal usage of our applications as well as reports on unexpected behavior. If you obtain data or personal identifiable information without authorization you are required to delete all instances of the data, logically and in some cases physically. You are kindly requested to inform us of this. We request the following from you:

  • You give us, and where relevant our clients, reasonable time to investigate and mitigate findings before sharing any information with others.
  • You do not exploit a security vulnerability for any reason. We will assess the full possible impact of the finding ourselves.
  • Confidentiality of any details of the vulnerability must be strictly maintained. Publicly disclosing the particulars of the vulnerability, such as how and where it was found or how it can be exploited, is forbidden.
  • You do not target other users, respondents or companies without authorization.
  • Stress testing/denial of service (DoS or DDoS) is not allowed.
  • Automated scanning for software vulnerabilities is not allowed.
  • You may only access the minimum amount of pages/records needed to verify the finding. Accessing further records, scripted or not, is not allowed
  • Once you have sufficient proof of a vulnerability do not proceed to exploit further but send us proof of what you have found/achieved.
  • Critical vulnerabilities such as data loss/leakage/destruction, RCE and SQL Injection should be reported immediately. Other findings can be reported collectively in a single report.

Qualifying vulnerabilities

Examples include SQL injection, RCE, XSS, CSRF, Authentication flaws, missing authorization, Server-side code execution.

Non-qualifying vulnerabilities

Confirmit’s flexible platform enables our clients to generate their own content within surveys and reports. As this content is not maintained or owned by Confirmit we can only share findings on such content with our clients, we can’t guarantee remediation nor timelines nor communication on behalf of our clients.

Other non-qualifying vulnerabilities include, but are not limited to

  • Lack of user self-management in password protected surveys.
  • Lack of observable rate limiting/throttling mechanism.
  • Bugs requiring the use of browsers that are not on our supported browser list for that application.
  • Bugs requiring user to disable security features or perform unlikely actions.
  • Clickjacking/UI redressing with no practical security impact.
  • Findings on vulnerabilities that pose no effective risk that can be proven. For example lacking the secure flag on a cookie scoped to a HSTS domain and missing flags in non-sensitive cookies.
  • SPF, DMARC, DKIM and DNS settings.
  • Missing or suboptimal configuration of response headers such as X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, Feature-Policy, Permissions-Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy. Missing SubResource Integrity attributes.
  • Missing noreferrer, noopener or nofollow attributes on links.


Send your reports to Please use to encrypt your report.

For vulnerabilities on SaaS systems, your report should include surveyid/projectid, reportid or similar if applicable.

Vulnerabilities with a common root cause or duplicated across multiple servers/domains counts as a single finding. If there are multiple instances of what appears to be the same vulnerability, please list them all in one report.