Please disclose responsibly.

At Issuu, the security of our users and our platform comes first. If you believe that you have discovered a potential vulnerability on our platform or in any APIs, apps or Issuu service, we would appreciate your help in fixing it fast by revealing your findings in accordance with this policy.

Going public with security vulnerabilities can elevate the level of risk, so we urge you to keep such matters private until they can be addressed.

Reporting to Issuu

If you believe that you have found a security vulnerability on Issuu, please contact us at security@issuu.com.

It’s most helpful to provide as much information as possible, especially a way for us to reproduce the issue. DO NOT provide any personally identifiable information and/or credit-card data.

We will do our best to confirm receipt of valid reports by the next business day; an Issuu team member will investigate within a week and correspond with you if necessary.

Please consider the potential damage to others and don’t disclose or share your matter publicly until we have been able to investigate and respond.

What’s research and what crosses the line?

We welcome information from white-hat researchers. Responsible actions and revelations regarding Issuu are not of legal concern. Nevertheless, the following actions are not acceptable and will be reported to the proper authorities:

  • Seeking to modify or destroy data
  • Seeking to interrupt or degrade the services we offer to users
  • Seeking to execute a Denial of Service attack
  • Seeking access to user accounts or data (instead, create test users and publications as needed)
  • Research that violates any applicable laws
  • Please test only for vulnerabilities on Issuu systems. Areas hosted by third parties (e.g., blog.issuu.com) are outside the scope of this policy.

Reward offered

Responsible research that reveals qualifying issues in accordance with this policy could be eligible for inclusion in our Hall of Fame. UPDATE: We are currently unable to provide any kind of swag to the researcher.

Qualifying issues include web vulnerabilities exposed during a valid attack scenario that has significant impact on our users or our platform. Examples of such vulnerabilities could be:

  • Authentication flaws
  • Circumventing of platform and/or privacy permissions
  • Privilege escalations
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection
  • Arbitrary redirects
  • Server-side code execution (RCE)

Issues that do not qualify include the following:

  • User enumeration
  • Denial of Service (DoS)
  • Minor information disclosures (e.g., server software/version)
  • Issues with outdated or unpatched browsers
  • Lack of the Secure flag on nonsensitive cookies
  • Lack of the HTTP Only flag on nonsensitive cookies
  • Security vulnerabilities in third-party websites and applications that integrate with Issuu
  • Vulnerabilities requiring a potential victim to install nonstandard software or otherwise take steps to become susceptible to attack
  • Social engineering of vulnerabilities requiring very unlikely user interactions
  • Findings primarily from social engineering (e.g., phishing, vishing)
  • Findings from physical testing such as office access (e.g., open doors, tailgating)
  • UI/UX bugs and spelling mistakes
  • Spamming

Whether an issue is indeed qualifying, and whether a reward or inclusion in our Hall of Fame is merited are decisions made at Issuu’s discretion. Only the first researcher to report a specific qualifying issue may be eligible for inclusion in our Hall of Fame, and we reserve the right to cancel this program at any time.

Hall of Fame

Here’s where we recognize the researchers that have responsibly reported a security vulnerability. Your efforts help us keep Issuu safe for millions of users, and for that we are grateful. Thank you!

🏆
Awais Zafar
🏆
Kenan GÜMÜŞ
🏆
Ravi Prakash Giri
🏆
Juan Broullon Sampedro
🏆
HusseiN98D
🏆
Ashutosh Kumar
🏆
Mahadev Subedi
🏆
கோபிநாத்(Gopinath) மதுரை(Madurai)
🏆
Shawar Khan
🏆
Asim zafar (Mr-soft)
🏆
Manish Agrawal
🏆
Zee Shan
🏆
Muhammad Zeeshan
🏆
Shivam Kumar Agarwal
🏆
sandeepsudhagani
🏆
Muhammad Osama
🏆
Muhammad Hammad
🏆
Sumit Sahoo
🏆
C.Vishnu vardhan Reddy
🏆
Sane Sindhuja
🏆
Koutrouss Naddara
🏆
Tayyab Qadir
🏆
Vijith Pv
🏆
Jay Jani
🏆
Jayaram Yalla
🏆
Ramana Yalla
🏆
Nithish M. Varghese
🏆
Pratap Chandra
🏆
Daniyal Nasir
🏆
Mohd Arbaz Hussain
🏆
Pratyush Anjan Sarangi
🏆
Osama Ansari
🏆
Siddhartha Tripathy
🏆
Arun Kumar Agrawalla
🏆
Mansoor Gilal
🏆
Sree Visakh Jain
🏆
Waqar Vicky
🏆
Hamid Ashraf
🏆
Ali Tabish
🏆
SaifAllah benMassaoud
🏆
Mandeep Singh Jadon
🏆
Yadnyawalkya Tale
🏆
Kaushik Roy
🏆
Blindu Eusebiu
🏆
Oladigbolu, Shuaib Abidemi
🏆
Smit Gajra
🏆
Arbaz Hussain
🏆
Eusebiu Blindu
🏆
Sahil Tembhare
🏆
Leandro Chaves
🏆
Rajat Sharma
🏆
Shailesh Suthar
🏆
Taimoor Abid
🏆
Lokesh Sharma (Torrid Networks)
🏆
Mohamed Faraj
🏆
Yasser Gersy
🏆
Wai Yan Aung
🏆
Sagar Sachdeva
🏆
Krishna Manoj
🏆
Hassan Khan
🏆
Arbin Godar
🏆
Ankit Singh
🏆
Kaushal Parikh
🏆
Sreedeep.Ck Alavil
🏆
Olivier Van de Velde
🏆
Joseph Jose
🏆
ak1t4
🏆
Ahmad Shuja
🏆
Muztahidul Islam Tanim
🏆
Yeasir Arafat
🏆
Prabharoop C C
🏆
Shivam Kamboj
🏆
Graham Stevens
🏆
Piyush kumar
🏆
Umesh Prakash Jore
🏆
Abhishek Sidharth
🏆
Pal Patel
🏆
Pradipta Das
🏆
Ashish Kunwar
🏆
Jogendra Singh
🏆
Sreeram KL
🏆
Devansh Batham
🏆
Rahul ps
🏆
Shwetabh Suman
🏆
F007573P
🏆
Akalanka Ekanayake
🏆
Pranjal Singhal
🏆
Chirag Gupta (Zerocoolz1)
🏆
Guhan Raja.L (Havoc)
🏆
Shantanu Shastri
🏆
Sajibe Kanti
🏆
Sameer Bhatt
🏆
Remesh Ramachandran
🏆
Vijay Kannan
🏆
Muhammad Qasim Munir
🏆
Vibhurushi Chotaliya
🏆
Aashu Sharma
🏆
Tushar Rawool
🏆
Ketan Madhukar Mukane
🏆
Muhammad Uwais
🏆
Ayon Chakraborty
🏆
Muhammad Amr Fathy Muhammad Nasef (4nub15)
🏆
Vyshnav Nk
🏆
Sudhanshu Rajbhar
🏆
Raghavendra Singh
🏆
Vishal Abasaheb Dhapte
🏆
S. Naveen Kumar
🏆
Militiaman
🏆
Ratnadip Gajbhiye
🏆
Geethu Sivakumar, CEO, Pace Hitech
🏆
B.Dhiyaneshwaran
🏆
Bhavika Rathore (H3xc@t)
🏆
Bharat
🏆
Muhammad Awais Noshahi
🏆
Kaushik Sardar
🏆
Prial Islam
🏆
Abdul Mateen
🏆
Swapnil Jain
🏆
Mahad Ahmed
🏆
Rishabh (cyb3rlant3rn)
🏆
Raviraj A. Powar
🏆
Linus Särud (zulln)
🏆
Vasantha Kumar.S.P. (Infoziant)
🏆
Aditya Kabra
🏆
Abhishek Bharat Yadav
🏆
Yassine Nafiai
🏆
Sameer Phad
🏆
Shrey Shah
🏆
Aman Mahendra
🏆
Havoc Guhan
🏆
Muhammad Ali Samani
🏆
Mirazul Islam Rifat
🏆
Chirag Gupta
🏆
Orkhan Yolchuyev
🏆
Chawda Mrunal
🏆
Lacerenza Francesco
🏆
Luthfi Bia Susilo Putra (TRIMATRA-SEC)
🏆
Ketan Madhukar Mukane
🏆
Ramneek, BreachLock Inc.
🏆
Prabhjot Dunglay
🏆
Muhammad Asif
🏆
Tinu Tomy
🏆
Sunil Kumar S
🏆
Sohail Shaikh (ROOTxDEAD)
🏆
Sourajeet Majumder
🏆
Atharv Shejwal
🏆
Shubham Dubey
🏆
Anon Tuttu Venus
🏆
Vanshit Malhotra
🏆
Ankur Vaidya
🏆
Aditya Shende
🏆
Pascal Zenker
🏆
Govind p
🏆
Leo Starcevic
🏆
Prathamesh Surekha Prakash Pawar
🏆
Abhishek Kanaujia
🏆
Fudgedotdotdot
🏆
Suvarnesh K M
🏆
Akshay Pande
🏆
Jai kumar B
🏆
ManhNho
🏆
Vasu Yadav
🏆
Elumalai vasan
🏆
Navin Shetty
🏆
Vijay Balaji. M
🏆
Harsh D Ranjan
🏆
Foysal Ahmed Fahim
🏆
Vikas Srivastava
🏆
Vinay Unnikrishnan Nair
🏆
Ritesh Singhal
🏆
Shubham Panchal
🏆
Kinshuk Kumar
🏆
Ynoof Alassiri
🏆
Pratik Patil
🏆
Rushi Mamtora
🏆
Mohamed Elbadry
🏆
Amit Kumar
🏆
Artem Belchenko
🏆
Alan Jose
🏆
Samrat Gupta
🏆
Shoaib Alam
🏆
Shrishty Dayal
🏆
Pranob Kanti Nath
🏆
Veshraj Ghimire (V35HR4J)
🏆
Aditya Thebe
🏆
Avinash Hanwate
🏆
Kiran Kumar MS
🏆
Sachin Sutariya
🏆
Deepak Singh Pawar
🏆
Fika Februarinto
🏆
Nhiephon
🏆
Swapnil Kothawade
🏆
K Yeswanth Reddy
🏆
Nirmal Unagar
🏆
Tarun Pardeshi
🏆
Deepak Dalvi
🏆
Sushanth S Ranawat
🏆
Ritik Jangra
🏆
Dr. Jens Mueller

Should your name be in the Hall of Fame?

If you have disclosed a security matter in accordance with Issuu’s policy and believe that your name is missing from our roster, please let us know at security@issuu.com.