Qualified.com/Qualified Responsible Disclosure Program/Detail
Detail Leaderboard
Description

Qualified's AI Conversational Marketing platform helps sales teams engage high-value website visitors in real-time, personalized sales conversations, right on the website. With Qualified, our customers can leverage an AI SDR (sales development representative) to ask qualification questions to website visitors, capture leads or book sales meetings; then fast-track hot prospects, open opportunities, and target accounts to live sales conversations. The result is creating more sales meetings and more pipeline. Qualified is purpose-built for companies that run on Salesforce, and is on the Salesforce AppExchange (passing the Salesforce ISV Security Review). The Qualified offering includes chat (live and AI), meetings booking, offers, email, forms, smart buttons, and signals. A 5-min product overview is available here: qualified.com/ai-sdr?play=piper-aug and a full overview of our product is available here: https://www.qualified.com/piper-demo-day# The Qualified app has two main components, widgets that run on our customer's websites and allow our customers to interact with their website visitors, and an admin console that is used to configure chatbot and AI SDR experiences, form experiences, offers, routing, etc. The admin console is also used by chat users to interact with customers on their website directly. The "widget" is the Javascript a company installs to their website. "Visitors" to the website see experiences configured by admins and can talk to reps (either live or AI) that are logged into the "console" and set to available. We've set up a test website at https://team-ojwa63madn5nq72oaosk5wi6kgg5cslcbues6dq.qualified-private-test.com/?s=0 that loads the qualified.js widget snippet for the test company. Please note, the test website itself is out of scope for the purposes of our bounty program, the widget however is in scope. The "console" is what the reps and/or the site admin login to. Available for testers at https://app.qualified-dev.com/live Our application runs on Ruby on Rails backend, postgres database, ClickHouse database, react front end utilizing graphql, rest and websockets.

Bounties

This is a responsible disclosure program without bounties.

Rules of engagement
Not applicable
Not applicable
Not applicable
Not applicable

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a €25 bonus.

Vulnerability Severity Time to validate
Exceptional 2 Working days
Critical 2 Working days
High 5 Working days
Medium 15 Working days
Low 15 Working days

This remains at the discretion of Qualified.com to award.

Assets
tier
All
type
All
app.qualified-dev.com
URL
Tier 2
www.qualified.com
URL
Tier 2
api.qualified.com/v1
URL
Tier 2
In scope

Introduction

We are happy to announce our program! We've done our best to clean up our known issues and now would like to request your help to identify the ones we missed!

Our worst-case scenarios are:

  • Vulnerabilities (like cross-site scripting) that may lead to user account takeover
  • Cross-portal data leakage and access; i.e. if you are authenticated and authorized to access portal A, you should not be able to read/modify data in portal B, unless you have also been authorized to that portal
  • Server-side code execution vulnerabilities
  • Sensitive data exposure
  • Ability to access our backend AWS instance

Any useful infrastructure information:
We have different types of users :

Visitors: External website visitors on our customer's sites. These users have no credentials, but we do create cookie based sessions for them
Qualified Admin User: Access to configuration of the Qualified console
Qualified Chat User: Access to chatting with prospects, access to analytics
Qualified Meetings Users: Sales reps that connect their calendars to Qualified for booking meetings with customer site visitors
Qualified Custom Roles: Custom roles can be created to grant users of the Qualified app access to different areas of the application through the use of checkbox fields

Given that the users within the Qualified console are all from the same company, the ability for meetings users, chat users, or custom roles to see calendars or availability or have access to data in graphql that is not exposed via UI is not a concern. We would be concerned if a meetings, chat or custom role were to be able to obtain admin access.

A 5-min product overview is available here: qualified.com/ai-sdr?play=piper-aug and a full overview of our product is available here: https://www.qualified.com/piper-demo-day#

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:

Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Out of scope

Application

  • Low role user able to access mutations or read access beyond their permissions in the same organization
  • Wordpress usernames disclosure
  • Pre-Auth Account takeover/OAuth squatting
  • Self-XSS that can't be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, timeouts, enabling 2FA, etc.)
  • Tokens leaked to third parties
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection without being able to modify the HTML
  • Username/email enumeration
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing/Version disclosure
  • Not stripping metadata of files
  • Same-site scripting
  • Subdomain takeover without taking over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Blind SSRF without proven business impact (pingbacks aren't sufficient)
  • Disclosed/misconfigured Google Maps API keys
  • Host header injection without proven business impact
  • The use of HTML tags in email
  • Visibility of routing rules within the application to users within the same org
  • Lack of CAPTCHA validation controls
  • Weak TLS 1.2 ciphers

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
  • The test website: http://team-ojwa63madn5nq72oaosk5wi6kgg5cslcbues6dq.qualified-private-test.com/ is out of scope, however the widget installed on it is in scope.
  • Low role user able to access mutations or read access beyond their permissions in the same organization
Severity assessment

This program follows Intigriti's triage standards based on the proof of concept.

FAQ

Where can I get credentials for the app?

You can use the get credentials button in the right top corner to request credentials that are ready to use! Feel free to reach out to support if you have any issue with these credentials.

Where can I find more information about the application?

Please visit the Qualified University for helpful articles by topic here: https://www.qualified.com/university.

Where can I find more information about Qualified's APIs?

Please visit our APi page here: https://www.qualified.com/api.

Bug Bounty Guidelines - How to Set up Forms, Offers, Buttons and Piper.pdf
7/18/2025, 6:23:22 PM
All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Activity
11/13
Qualified.com updated the confidentiality level to public
11/13
Qualified.com updated the confidentiality level to registered
11/13
Qualified.com updated the confidentiality level to application
7/18
Qualified Responsible Disclosure Program
launched