Security and Responsible Reporting

Even though security receives a lot of attention at Sosci Survey, there may still be vulnerabilities caused by the server configuration or the software itself.

We would like to encourage users and security researchers to responsibly report any security issues to info@soscisurvey.de, preferrably using PGP encryption (for the key's finderprint see our contact details). You may also send us sensitive information via our upload platform.

Please do not report documented features as security issues, especially that registered users can edit the manual wiki, or that one can use custom JavaScript in online questionnaires. Thank you!

Bug Bounty

The SoSci Survey GmbH pays bug bounty for reporting security issues. However, as a small company, the bounties differ from big tech companies. Bounties typically range between 25 € and 250 €, depending on the severity of the issue. We can pay via bank transfer (EU) or PayPal. We will need a valid invoice after negotiating the bug bounty in both cases.

Detail Information

SoSci Survey explicitly allows users to use scripting and HTML in their questionnaires. Therefore, not all scripting is considered cross-site-scripting (XSS). Please validate that there is any attack vector before reporting that the content allows for script to run in the output.

Also, there are a lot of optional security features, such as MTA-STS or CAA DNS entries. Unless our site is missing a feature that German security authorities consider "state of the art," please assume that we have consciously decided not to the employ the feature for the moment.

For details please refere to our entry on Open Bug Bounty.