Bandwidth vulnerability disclosure program

Thank you for taking interest in the security of Bandwidth. We value the security of our customers, their data, and our services. In an effort to protect our digital ecosystem, we’ve created this page to allow security researchers from around the world to report any potential security issues they may have found.

Our commitment to you:

  • Maintain trust and confidentiality in our exchanges with researchers who report to the program.
  • To treat everyone who contributes with respect and we appreciate your contribution to keeping us and our customers safe and secure.
  • To work with you to validate and remediate reported vulnerabilities
  • To investigate and remediate issues in a manner consistent with protecting the safety and security of both on-prem and cloud customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.

Our ask of you:

  • Trust. As we commit to maintain trust and confidentiality with you, we ask that you do the same with us. We ask that you do not disclose any information regarding your submission’s details. We reserve the right to take legal action if this is not adhered to.
  • Please provide as much information in your submission as possible. It is vital to provide clear
    reproduction steps regarding your finding so that we may validate the report in a timely manner.
  • Adhere to the Out of Scope section below.
  • We ask that you provide your email address in your submission, so we can get in touch with you about any technical details needed.
  • If you discover a vulnerability that exposes personal data concerning Bandwidth or its affiliates and subsidiaries (including Voxbone), you cannot retain the data. You must immediately delete the data upon reporting the vulnerability to us. Personal data includes, but is not limited to, any information that relates to, describes, or could be used to identify an individual (including our customers and employees), directly or indirectly.

Out of scope:

  • Testing the physical security of our offices, employees, equipment, etc.
  • Conducting non-technical attacks such as social engineering or phishing attacks.
  • DoS/DDoS or any other testing that would impact the operation of our systems.
  • Accessing, downloading, or modifying data residing in an account that does not belong
    to you.
  • Testing that would result in sending spam or other unsolicited messages.
  • Testing third party applications or services.
  • Defacing any of our assets.

Below you will find the form where you can submit your finding. Please remember to include as much information in a clear manner to help facilitate validation. It is highly recommended that you provide your email address to ensure you can claim your submission and continue communication as needed.