• Reach out to bughunt@salesmate.io, if you have found any potential vulnerability in Salesmate meeting all the below mentioned criteria. You can expect a confirmation from our security team in about 24 hours of submission.
  • You can also report bugs online below, using the “Report” form at the bottom of the page.
  • Please refrain from doing security testing in existing customer accounts.
  • When conducting security testing, make sure not to violate our privacy policies, modify/delete unauthenticated user data, disrupt production servers, or to degrade the user experience.
  • You’re allowed to disclose the discovered vulnerabilities only to bughunt@salesmate.io. Documenting any potential In/Out of scope, vulnerability to the public is against our responsible disclosure policy.


While researching, we’d like to ask you to refrain from the following list as these issues will be closed as Not Applicable:

  • Denial of service
  • Spamming
  • Unconfirmed reports from automated vulnerability scanners
  • Disclosure of server or software version numbers
  • Mobile application issues that can only be exploited on a compromised device.
  • Open HTML redirects
  • Arbitrary file upload – CDN
  • Issues with DNS records such as SPF, DKIM or DMARC
  • Insufficient Password Policy Implementation
  • Use of HTTP Strict Transport Security (HSTS)
  • You must not attempt to gain access to, or interact with, any accounts other than those created by you.
  • The use of commercial scanners is prohibited (e.g., Nessus).
  • Social engineering (including phishing) of Salesmate’s staff or contractors
  • Any physical attempts against Salesmate’s property or data centers

Qualifying Security Bugs

All bugs that are reported are qualified based on their impact on customer’s production data.

We will consider other security vulnerabilities if it is making an impact and exploitable with a working non-intrusive POC.

In-Scope Domains

  • *.salesmate.io

Bugs Severity

Salesmate will define the severity of the issue based on the impact and the ease of exploit. 

Response Time

AcknowledgmentWithin 24 hours
Time is taken to resolveBased on the Severity

Report Bug