Podia

At Podia, the security of our users and their customers is highly important to us. As such, we welcome the responsible disclosure of security vulnerabilities by researchers and members of our community.

Please note that at this time, we do not have a bug bounty program in place. As such, we are unable to provide monetary compensation for the disclosure of security vulnerabilities.

___________________________________________________________

If you have discovered an issue that is within in scope, and particularly part of our focus areas, send an email to <a href="mailto:security@podia.com" rel="nofollow noopener noreferrer" target="_blank"><b>security@podia.com</b></a> with the following details:

A summary of the issue and potential impact

A breakdown of the steps to replicate the issue

If available, any proof-of-concept code to exploit the vulnerability

- A summary of the issue and potential impact
   
- A breakdown of the steps to replicate the issue
   
- Details of the environment you are using
   
- If available, any proof-of-concept code to exploit the vulnerability
   

Upon receiving your email, our team will start investigating the issue.

We will keep you updated on the progress and may reach back for further details if needed.

The following vulnerabilities are in-scope:

Authentication bypass and privilege escalation

Exposure of personally identifiable information (PII)

Exposure or exploitation of payment-related API credentials

SQL injection and remote command execution

- Authentication bypass and privilege escalation
   
- Exposure of personally identifiable information (PII)
   
- Exposure or exploitation of payment-related API credentials
   
- Exposure of integration credentials
   
- Access to data belonging to another user
   
- SQL injection and remote command execution
   

Podia app (<a href="http://app.podia.com" rel="nofollow noopener noreferrer" target="_blank">app.podia.com</a>)

User sites (*.<a href="http://podia.com" rel="nofollow noopener noreferrer" target="_blank">podia.com</a>)

- Podia app (<a href="http://app.podia.com" rel="nofollow noopener noreferrer" target="_blank">app.podia.com</a>)
   
- User sites (*.<a href="http://podia.com" rel="nofollow noopener noreferrer" target="_blank">podia.com</a>)
   
- Podia's Zapier integration
   

The following areas are out-of-scope for security testing and reporting. As such, we may ignore or dismiss out-of-scope reports

Our marketing site at<a href="http://www.podia.com" rel="nofollow noopener noreferrer" target="_blank"> www.podia.com</a>

- Automated scanning
   
- Social engineering, in particular of Podia employees or creators
   
- Denial of Service attacks
   

Attacks requiring physical access to the victim's computer

Theoretical attacks without proof of exploitability

Clickjacking on pages with no sensitive actions

Users exploiting a bug to sabotage their own account, storefront, or customers

Bugs that allow an attacker to bypass account limits

Missing best practices in CSP, DNS records, or cookies that do not result in an in-scope vulnerability.

- Our marketing site at<a href="http://www.podia.com" rel="nofollow noopener noreferrer" target="_blank"> www.podia.com</a>
   
- Any form of:
   
  - Automated scanning
     
  - Social engineering, in particular of Podia employees or creators
     
  - Denial of Service attacks
     
- Attacks requiring physical access to the victim's computer
   
- Theoretical attacks without proof of exploitability
   
- Man-in-the-middle attacks
   
- Clickjacking on pages with no sensitive actions
   
- Users exploiting a bug to sabotage their own account, storefront, or customers
   
- Bugs that allow an attacker to bypass account limits
   
- Missing best practices in CSP, DNS records, or cookies that do not result in an in-scope vulnerability.
   

only test for vulnerabilities on your own account

make a good faith effort to avoid privacy violations, copying or destruction of data, and interruption or degradation of our service

not attempt to expand or elevate access to other servers

not attempt to exploit our infrastructure provider, partners, or any third-party services we are integrated with

not make the vulnerability public before reporting it to us, and you should give us adequate time to address the issue

not attempt to extort payment in exchange for disclosing vulnerabilities, or to exploit vulnerabilities for personal gain.

- only test for vulnerabilities on your own account
   
- make a good faith effort to avoid privacy violations, copying or destruction of data, and interruption or degradation of our service
   
- not attempt to expand or elevate access to other servers
   
- not attempt to exploit our infrastructure provider, partners, or any third-party services we are integrated with
   
- not make the vulnerability public before reporting it to us, and you should give us adequate time to address the issue
   
- not attempt to extort payment in exchange for disclosing vulnerabilities, or to exploit vulnerabilities for personal gain.
   

Please note that any attempt to do so will be considered unethical, and potentially illegal behavior, and will be handled accordingly.

Security policy

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Security policy

How to report an issue

In-scope vulnerabilities

Out-of-scope

You should…