Please disclose responsibly.

At issuu, the security of our users and our platform comes first. If you believe that you have discovered a potential vulnerability on our platform or in any APIs, apps or issuu service, we would appreciate your help in fixing it fast by revealing your findings in accordance with this policy.

Going public with security vulnerabilities can elevate the level of risk, so we urge you to keep such matters private until they can be addressed.

Reporting to issuu

If you believe that you have found a security vulnerability on issuu, please let us know right away via our Responsible Disclosure form.

It’s most helpful to provide as much information as possible, especially a way for us to reproduce the issue. DO NOT provide any personally identifiable information and/or credit-card data.

We will do our best to confirm receipt of valid reports by the next business day; an issuu team member will investigate within a week and correspond with you if necessary.

Please consider the potential damage to others and don’t disclose or share your matter publicly until we have been able to investigate and respond.

What’s research and what crosses the line?

We welcome information from white-hat researchers. Responsible actions and revelations regarding issuu are not of legal concern. Nevertheless, the following actions are not acceptable and will be reported to the proper authorities:

  • Seeking to modify or destroy data
  • Seeking to interrupt or degrade the services we offer to users
  • Seeking to execute a Denial of Service attack
  • Seeking access to user accounts or data (instead, create test users and publications as needed)
  • Research that violates any applicable laws

Please test only for vulnerabilities on issuu systems. Areas hosted by third parties (e.g., blog.issuu.com) are outside the scope of this policy.

Reward offered

Responsible research that reveals qualifying issues in accordance with this policy could be eligible for swag and/or inclusion in our Hall of Fame.

Qualifying issues include web vulnerabilities exposed during a valid attack scenario that has significant impact on our users or our platform. Examples of such vulnerabilities could be:

  • Authentication flaws
  • Circumventing of platform and/or privacy permissions
  • Privilege escalations
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection
  • Arbitrary redirects
  • Server-side code execution (RCE)

Issues that do not qualify include the following:

  • User enumeration
  • Denial of Service (DoS)
  • Minor information disclosures (e.g., server software/version)
  • Issues with outdated or unpatched browsers
  • Lack of the Secure flag on nonsensitive cookies
  • Lack of the HTTP Only flag on nonsensitive cookies
  • Security vulnerabilities in third-party websites and applications that integrate with issuu
  • Vulnerabilities requiring a potential victim to install nonstandard software or otherwise take steps to become susceptible to attack
  • Social engineering of vulnerabilities requiring very unlikely user interactions
  • Findings primarily from social engineering (e.g., phishing, vishing)
  • Findings from physical testing such as office access (e.g., open doors, tailgating)
  • UI/UX bugs and spelling mistakes
  • Spamming

Whether an issue is indeed qualifying, and whether a reward or inclusion in our Hall of Fame is merited are decisions made at issuu’s discretion. Only the first researcher to report a specific qualifying issue may be eligible for swag and/or inclusion in our Hall of Fame, and we reserve the right to cancel this program at any time.

Hall of Fame

Here’s where we recognize the researchers that have responsibly reported a security vulnerability. Your efforts help us keep issuu safe for millions of users, and for that we are grateful. Thank you!

  • Awais Zafar
  • Kenan GÜMÜŞ
  • Ravi Prakash Giri
  • Juan Broullon Sampedro
  • HusseiN98D (fb.com/hussein98d.officiel)
  • Ashutosh Kumar (@divashutosh)
  • Mahadev Subedi
  • கோபிநாத்(Gopinath) மதுரை(Madurai)
  • Shawar Khan (fb.com/shawarkhanskofficial)
  • Asim zafar (Mr-soft) (fb.com/asimzafar420)
  • Manish Agrawal (fb.com/manishbitr)
  • Zee Shan (fb.com/zeex.zeeshan)
  • Muhammad Zeeshan (fb.com/Zeeshan.1337
  • Shivam Kumar Agarwal (fb.com/shivamkumar.agarwal.9)
  • sandeepsudhagani (fb.com/sandeep.sudhagani)
  • Muhammad Osama (fb.com/profile.php?id=100001183774319)
  • Muhammad Hammad (fb.com/muhammad.hammad.334830)
  • Sumit Sahoo (fb.com/54H00)
  • C.Vishnu vardhan Reddy (fb.com/vishnu.dfx)
  • Sane Sindhuja (fb.com/sindhuja.reddy.137)
  • Koutrouss Naddara (@KoutroussNaddar)
  • Tayyab Qadir (fb.com/tqMr.EditOr)
  • Vijith Pv (fb.com/vijithvellora @vijithvellora)
  • Jay Jani (fb.com/janijay007)
  • Jayaram Yalla
  • Ramana Yalla
  • Nithish M. Varghese (fb.com/nithish.varghese)
  • Pratap Chandra (linkedin.com/in/pratap05)
  • Daniyal Nasir (@dnofficial9)
  • Mohd Arbaz Hussain (fb.com/Arbazhussainofficial)
  • Pratyush Anjan Sarangi (fb.com/riozaki.sam)
  • Osama Ansari (@AnsariOsama10)
  • Siddhartha Tripathy (sg.linkedin.com/in/sidsg)
  • Arun Kumar Agrawalla (www.hackyourself.in)
  • Mansoor Gilal (fb.com/mansoor.gilal1)
  • Sree Visakh Jain (www.wayanadweb.com)
  • Waqar Vicky (@waqar_vicky011)
  • Hamid Ashraf (@hamihax)
  • Ali Tabish (@connect_tabish)
  • SaifAllah benMassaoud (@benmassaou)
  • Mandeep Singh Jadon (cyberdeception.com)
  • Yadnyawalkya Tale (fb.com/yadnyawalkya.tale)
  • Kaushik Roy (linkedin.com/in/kaushikroy4)
  • Blindu Eusebiu (www.testalways.com)
  • Oladigbolu, Shuaib Abidemi (@_sawzeeyy)
  • Smit Gajra (hackerone.com/smitgajra007)
  • Arbaz Hussain (@ArbazKiraak)
  • Eusebiu Blindu (@testalways)
  • Sahil Tembhare (@IsrSahilMk)
  • Leandro Chaves (@cecleandro)
  • Rajat Sharma (@Rajat_Jaichand)
  • Shailesh Suthar (@shailesh4594)
  • Taimoor Abid (@T4YM.H4X0R)
  • Lokesh Sharma (Torrid Networks) (linkedin.com/in/lokesh-sharma-28322878)
  • Mohamed Faraj (fb.com/ELMAGICSTOR)
  • Yasser Gersy (Ask.fm/YasserGersy)
  • Wai Yan Aung (@waiyanaun9)
  • Sagar Sachdeva (fb.com//sagarsachdeva21)
  • Krishna Manoj (fb.com/manoj.vandavasi)
  • Hassan Khan (fb.com/HassanKhanPro)
  • Arbin Godar (www.arbingodar.com)
  • Ankit Singh (linkedin.com/in/ankit-singh-64870010a)
  • Kaushal Parikh (fb.com/kp625544)
  • Sreedeep.Ck Alavil (fb.com/hacker.Sreedeep.ck)
  • Olivier Van de Velde (linkedin.com/in/oliviervdv/, fb.com/oliviervdv, @vdvcoder)
  • Joseph Jose (@josephjose_96)
  • ak1t4 (@knowledge_2014)
  • Ahmad Shuja (linkedin.com/in/shujaahmad)
  • Muztahidul Islam Tanim

Should your name be in the Hall of Fame?

If you have disclosed a security matter in accordance with issuu’s policy and believe that your name is missing from our roster, please let us know at disclosure@issuu.com.