No technology is perfect, and Hotjar believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you have discovered a vulnerability within Hotjar or any other serious security and privacy issues, send your detailed report to security@hotjar.com where we will validate the issue.
If the report is valid, you will need to create a YesWeHack profile, and we’ll invite you to our bug bounty program. Currently, the scope of our bug bounty program is limited to certain vulnerabilities and scope. However, we are happy to thank everyone who submits out-of-scope vulnerabilities, and we reserve the right to reward an out-of-scope vulnerability if there is an important security risk.
Hotjar will determine at its discretion whether a reward should be granted and the amount of the reward, but will aim to be fair.
Reporting Security Issues to Hotjar
Before sending your report by email, we kindly ask you to consult our list of out-of-scope vulnerabilities. This will ensure that you only submit reports concerning in-scope vulnerabilities. Our team will review it and get back to you as soon as possible. We are committed to working with the security research community to ensure the security of our systems.
Vulnerability Disclosure Policy
Maintaining the security, privacy, and integrity of our products is a priority at Hotjar. We appreciate the work of researchers in order to improve our security and/or privacy posture and we are committed to creating a safe and transparent environment to report vulnerabilities.
If you believe you've found a security bug in our service, we would be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Please adhere to the following steps:
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue (please reach us at security@hotjar.com).
- Provide us with a reasonable amount of time to understand, analyze, and resolve the issue.
- No vulnerability disclosure to any third-parties, including partial is allowed without formal acknowledgement of Hotjar staff.
- You must be the first reporter of a vulnerability and the vulnerability must be a qualifying vulnerability.
- You must not be a former or current employee of Hotjar or one of its contractor.
- You must send a clear textual description of the report along with steps to reproduce the issue (include attachments such as screenshots or proof of concept code as necessary).
- If you find the same vulnerability several times, please create only one report and eventually use comments. You'll be rewarded accordingly to your findings and the criticality of the asset found vulnerable.
Scope
The scope of Hotjar:
- insights.hotjar.com
- ws.hotjar.com
- script.hotjar.com
- www.hotjar.com
Out of scope
- All domains and sub-domains not listed in the scope section.
- adm.hotjar.com
- user-stories-live.live.eks.hotjar.com
- help.hotjar.com
- status.hotjar.com
- design.hotjar.com
- podcast.hotjar.com
- hotsauce.hotjar.com
- storybook.hotjar.com
- brand.hotjar.com
- careers.hotjar.com
- translations.hotjar.com
- Any integration mentioned in https://help.hotjar.com/hc/en-us/articles/115012499067 are out of scope
- The demo website: https://insights.hotjar.com/sites/2327305/overview
Qualifying vulnerabilities
- Remote Code Execution (RCE)
- SQL Injection (SQLi)
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Cross-Site Scripting (XSS)
- Cross-site Request Forgery (CSRF) with real security impact
- Cross-Origin Resource Sharing (CORS) with real security impact
- Insecure Direct Object Reference (IDOR)
- Horizontal and vertical privilege escalation
- Broken authentication & session management
- Business Logic Errors vulnerability with real security impact
- Exposure of sensitive secrets
- SSRF with real security impact
- Open redirect with real security impact
- Exposed secrets, credentials or sensitive information on an asset under - our control and affecting at least one of our scopes
- Subdomain-takeover (findings will be considered for bounty rewards based on a case-by-case evaluation, taking into account various factors)
Rewards
Currently, the scope of our bug bounty program is limited to certain vulnerabilities and scope. However, we are happy to thank everyone who submits out-of-scope vulnerabilities and we reserve the right to reward an out-of-scope vulnerability if there is an important security risk.
Please note that Hotjar will determine in its discretion whether a reward should be granted and the amount of the reward, but will aim to be fair.