Infobip Coordinated Vulnerability Disclosure (CVD) Policy

Skip to table of contents

1. Purpose 

Infobip firmly believes in the benefit of partnerships with the global security researcher community that makes the Internet a secure place for business. Global Security researchers play a vital role in this ever-changing cyber ecosystem by discovering possible missed vulnerabilities, in spite our strategic determination and commitment into secure development practices and shifting security left and automation within SDLC processes.

2. Scope of the Program

Infobip’s CVD program extends to security research covering all publicly accessible Infobip products, domains, APIs, and public-facing services.

The following are excluded from the scope of the CVD program:

  1. Attacks that compromise or affect third-party services or infrastructure
  2. Any testing of your partners/vendors
  3. Any non-public-facing Infobip systems, internal applications, or services
  4. Phishing, social engineering, physical intrusion, or similar techniques
  5. Distributed Denial of Service (DDoS) or spam attacks
  6. Automated vulnerability scanning without prior written approval
  7. Any services described as out-of-scope on our third-party bug bounty platform
  8. Dark web customer credential leaks related to your cloud services 

If you’re unsure whether your findings are in scope, we encourage you to contact us for clarification on [email protected].

Even if your finding is not covered under our existing bounty program, we will acknowledge your contributions when we fix the vulnerability. 

3. Reporting and Validation Process

Once a Participant submits a potential vulnerability via our current bug bounty platform (https://tracker.bugcrowd.com/infobip-ngpt) the report will be:

  • Reviewed and verified by bug bounty security engineers and Infobip’s internal security team.
  • If the report is validated as a genuine and previously unknown security vulnerability, Infobip will confirm receipt and provide an acknowledgment to the Participant.
  • Infobip will begin remediation efforts and will provide updates to the Participant throughout the process.
  • Once resolved, Infobip will inform the Participant and, where possible, share details of the resolution.

Infobip aims to remediate confirmed vulnerabilities within 90 days of validation as per common CVD practice. However, this timeline may vary depending on severity, complexity, and resource availability. All communications and actions will be carried out without undue delay.

In case Participants do not have access to our BugBounty platform, request to submit a vulnerability on our BugBounty platform can be communicated via email to [email protected].

4. Recognition and Rewards

As a token of appreciation, Infobip may offer monetary rewards or other forms of recognition for valid, in-scope, and previously unknown vulnerabilities reported through the program.

Reward amounts are determined based on:

  • Severity of the vulnerability (according to CVSS or similar standards)
  • Impact and exploitability
  • Quality of the report (clarity, proof of concept, reproducibility)

All reward decisions are at Infobip’s sole discretion and may vary depending on the context.

5. Non-Disclosure Obligation

To be eligible for any reward, the Participant must not publicly disclose or share any details about the vulnerability with third parties prior to:

  • Infobip’s explicit written permission, and
  • The deployment of a fix or mitigation

Responsible disclosure protects users and ensures coordinated remediation efforts.

Uncoordinated disclosure to any 3rd party will result in invalidation of submission, lack of monetary reward, exclusion from our bug bounty program and might lead to legal action.

6. Responsible Behavior Requirements

Participants are expected to act in good faith and in accordance with the following principles:

Prohibited actions include:

a. Accessing, modifying, or destroying data or services not owned by the Participant

b. Intentionally disrupting Infobip services or systems

c. Interacting with other users’ data or accounts

d. Any form of harassment or unlawful behavior in relation to the research

7. Safe Harbor Provision

Infobip pledges NOT to pursue legal action against Participants who:

a. Acted within the scope of this policy and performed activities solely for responsible disclosure

b. Did NOT exploit the vulnerability beyond the extent necessary to confirm its presence

c. Reported the vulnerability to Infobip in good faith and without delay

d. Complied with all other requirements outlined in this policy

This safe harbor applies only to the extent that the Participant’s behavior remains aligned with the goals and boundaries of Infobip’s CVD program.

8. Legal Compliance

Participants are solely responsible for ensuring that their actions comply with all applicable laws, regulations, and ordinances, including those of their country of residence and any jurisdiction from which they access Infobip’s services.

Thank you for helping Infobip keep its services and users secure.

If you have any questions or need clarification, please contact our security team at: [email protected].