Bug bounty

Please use https://app.test.makeplans.net for testing. Do NOT use a production account! Please limit use of any automatic vulnerability scanners. Our website is at https://makeplans.com, it is a static webside that is separate from our application. While it does contain links to the application, and therefore is part of security threats, please do not report any vulnerabilities that are not applicable to static websites.

Report any findings to us.

For a reference for what we do not consider to be non-qualiyfing please see https://bughunters.google.com/about/rules/google-friends/4849867320328192/cloud-vulnerability-reward-program-rules#non-qualifying-vulnerabilities

We respect the time you use to test our security and will treat you and your findings with respect. But please also respect our time. We receive many requests and demand for bug bounty compensation that are not really any security threat. Often such requests stems from automated tools and the researcher fails to understand what is reported (hence it not being a security issue).

Note: we do have some known issues that we are aware of: We offer ways to customise the booking site and admin module with JavaScript. Hence it is possible for an admin with access to add JavaScript to use XSS to hijack other users within the same account. But there is no way for a non-admin to do this or for a customer on the booking site. Also please note that such JavaScript is not executed on sensitive pages such as payment info.