Cloud communication APIs
Nexmo offers SMS and Voice APIs through REST and SMPP. We offer unparalleled message and voice call deliverability at an optimum price point.
Nexmo Verify API - allows you to verify whether one of your end users has access to a specific phone number.
We would like to test the Verify endpoints:
Full documentation: https://docs.nexmo.com/api-ref/verify
Nexmo Verify SDK - allows you to add password replacement, 2-factor authentication, or user and transaction verification to your App with a single line of code.
We would like to test the Verify SDK:
Full documentation: https://docs.nexmo.com/libraries/verify-sdk
Nexmo SMS API - allows you to send SMS anywhere in the world.
We would like to test the SMS endpoints:
Full documentation: https://docs.nexmo.com/api-ref/sms-api
Nexmo SMS SC API - allows you to send SMS to US through our pre-approved Short Code.
We would like to test the SMS SC endpoints:
Full documentation: https://docs.nexmo.com/api-ref/us-shared-short-code-api
Nexmo TTS/Voice API - allows you to send TTS calls anywhere in the world.
We would like to test the TTS/VoiceAPI endpoints:
Full documentation: https://docs.nexmo.com/api-ref/voice-api
Nexmo Number Insight API - allows you to retrieve information for a given number.
We would like to test the NI endpoints:
Full documentation: https://docs.nexmo.com/api-ref/number-insight
Nexmo Admin Dashboard
How do we decide how critical a vulnerability is?
The criticality of a vulnerability will be decided solely based on the risk to end users and impact for the business if it were exploited, rather than the poorness of the application design. If a vulnerability requires significant preconditions to be exploited, and these conditions make the attack less likely, the vulnerability is likely to be lower than if it were without preconditions.
Some general guidance on the rewards likely to be given for common classes of vulnerability are given below. This is by no means a comprehensive list, and please feel free to look for vulnerabilities not listed here - this is encouraged, as the whole value of third party testing is that it finds issues we hadn't considered! Please note: criticality always remains at our discretion regardless of the guidelines below.
- Remote code execution
- Authentication vulnerabilities that allow total bypass of the usual authentication process (both one-factor and two-factor)
- Authorization flaws that allow one user to perform actions on behalf of other users (API or Dashboard)
- Compromise of another account's API secret
- Serious financial manipulation e.g. ability to top up for free or use other users' credit
- Stored XSS which affects other users
- Successful SQL injection retrieving important database data
- CSRF with serious impact
Medium or Low, depending on impact:
- Ability to bypass some dashboard functionality restrictions within an account, if the impact is moderate
- Reflected XSS
- Stored XSS that affects only one user (likely to be low or not rewarded)
- Session management issues that don't directly lead to account compromise
- Improper rate limiting which may facilitate brute force
- CSRF with moderate impact
We build and operate a number of applications. Not all of them are currently part of an open bounty, however, we still appreciate the effort researchers put forth to identify vulnerabilities. Vulnerabilities found in applications not specifically listed on this page will be evaluated and they might be eligible for cash rewards.
CDNetworks, EdgeCast ADN, nginx, Java 8, Jetty, WordPress
Open for all
1 - 3 weeks / 100%
Average of all evaluations