GlobalMeet Vulnerability Disclosure & Bug Bounty Program
In Scope
Any vulnerability that could impact the confidentiality, integrity, or availability of our systems or customer data. Testing is authorized only on the in-scope assets listed below and only when conducted in good faith and in accordance with this policy.
- Public-facing applications and services under the *.globalmeet.com and *.webcasts.com domains
- Public APIs operated under the above domains
Out of Scope
The following are considered out of scope for this program, unless you can demonstrate a security impact that changes their nature:
- Social engineering (e.g., phishing, vishing, physical access)
- Infrastructure issues without an exploit chain (e.g., open ports, TLS version, DNS records)
- Denial of Service (DoS) or resource exhaustion
- Missing security headers without an exploitable proof-of-concept
- Self-XSS (user-defined payload affecting only their own session)
- Login/logout CSRF
- Content spoofing without HTML/script injection
- Vulnerabilities requiring jailbroken or rooted devices
- Clickjacking or iframe-based attacks without demonstrated impact
- Issues limited to sandbox, QA, or staging environments (unless they can also be shown to exist in production)
- Automated scanner output or automated findings without a working proof-of-concept or clear security impact
How to Report a Vulnerability
Send your report to: [email protected]
Include:
- Description of the vulnerability and its potential impact
- Step-by-step reproduction from a fresh session
- Affected URL(s), app(s), or API endpoints
- Proof-of-concept (PoC): screenshots, video, or minimal exploit code
- Test account details (if used)
- Any payloads or harmless test files uploaded during testing
- Environment details: browser version, OS, IP(s) used for testing
- Relevant logs or console output
We will acknowledge receipt within 10 business days and provide status updates based on severity. After acknowledgement, we’ll notify you whether the finding is valid/invalid/out-of-scope; for valid issues we’ll provide periodic updates and a final confirmation when remediation is complete (and offer retesting when applicable). We may close reports as duplicate, out-of-scope, or informational (e.g., low risk with no meaningful exploit) and such reports may not be eligible for reward.
Safe Harbor
If you make a good-faith effort to comply with this policy during your security research:
- We will not initiate legal action against you for reporting vulnerabilities within scope
- Do not access, modify, or delete data that is not your own. If you inadvertently access personal or confidential data, stop immediately and report it
- We request that you avoid privacy violations, service disruption, or destruction of data
By submitting a report, you represent that you have the right to share the information you provide. You grant GlobalMeet a non-exclusive, worldwide, royalty-free license to use your submission solely for the purpose of validating, remediating, and improving the security of our products and services.
At our discretion, we may offer monetary rewards, swag, or public recognition in our Hall of Fame based on severity and report quality. Rewards are not guaranteed, are issued solely at GlobalMeet’s discretion, and may be limited by applicable laws and trade restrictions.
Please allow a reasonable period for remediation before publicly disclosing the vulnerability (typically 90 days). We are happy to coordinate timelines with you.
Our Commitment
- Review and acknowledge all submissions promptly
- Prioritize and remediate confirmed vulnerabilities
- Keep you informed of progress and resolution
