Details

6sense processes Personal Information in accordance with its Privacy Policy, which is located at https://6sense.com/privacy-policy/.

Please read the rules and guidelines of this policy (the “Policy”) carefully before submitting a report. By participating in our Vulnerability Disclosure Program (“Program”) and submitting your findings, you confirm that you meet our Program Eligibility terms and accept and agree to be bound by this Policy.

I. Program Terms

Program Eligibility
Program Rules

II. Testing & Submission Process

In-scope vulnerabilities
Out of scope vulnerabilities

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from 6sense.
Follow HackerOne's disclosure guidelines.
Ensure that your report contains at least the following:
- The URL and any affected parameters;
- The browser, OS, and/or app version; and
- The perceived impact of the vulnerability being exploited.

Program Eligibility

You are at least 18 years of age.
You are not a resident of, or located in, any country against which the United States has issued sanctions or other trade restrictions and are not a person (or affiliated with a company or organization) designated in the U.S. Department of the Treasury’s Specially Designated Nationals List.
You may not engage in any security research or vulnerability disclosure activity that is inconsistent with the terms and conditions of the Policy or applicable law.
6sense employees are not eligible for participation.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we will accept the first submission that meets the criteria of complete required information submitted and is reproducible at our end.
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g., phishing, vishing, smishing) is prohibited.
Only interact with accounts you own or with explicit permission of the account holder.
When investigating vulnerabilities, avoid altering existing files, file permissions, reading sensitive information or disrupting services. Do not utilize an identified vulnerability to pivot to other hosts or services. * If sensitive information or personal information is encountered, immediately cease activities and report via the HackerOne portal
As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
Exercise caution when testing to avoid negative impact to us and our customers and the services we and both depend on.
Do not use vulnerability scanners! For custom tooling an acceptable request rate is no more than 3 requests per second
Do not attempt to access any customer tenant/instance or data
Do not try to further pivot into the network by using a vulnerability.
Do not try to exploit service providers we use (hosting, domain registrar, email, marketing, etc.). 6sense does not authorize you to perform any actions against non-6sense owned property/system/service/data. If you are unsure if a system you discovered belongs to 6sense or not, ask first before testing further
Publicly known Zero-day vulnerabilities will not be considered until more than 30 days have passed since patch availability.
If you encounter Personally Identifiable Information (PII) contact us at [email protected] immediately. Do not proceed with access, do not upload PII, and immediately purge any such local information on your device(s), if applicable.

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

“X-HackerOne-Research: [H1 username]”

The 6sense security team is interested in the following vulnerabilities

Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)
Insecure Direct Object References
Injection Vulnerabilities
Authentication/Authorization Vulnerabilities
Server-Side Code Execution
Privilege Escalation
Significant Security Misconfiguration (when not caused by user)
Directory Traversal
Information Disclosure
Open Redirects

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Rate limiting or brute force issues on non-authentication endpoints
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Configuration of or missing security headers.
Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors).
Tabnabbing
Issues that require unlikely user interaction
Improper logout functionality and improper session timeout.
CORS misconfiguration without an exploitation scenario
Broken link hijacking
GraphQL introspection
Vulnerabilities found in third party vendor systems and integrations that 6sense or its affiliates use, which should be reported directly to the vendor according to their disclosure policy (if any). Only vulnerabilities found in 6sense’s, or its affiliate’s client-side implementation of a third-party vendor’s product or service will be eligible for submission.
Any vulnerability obtained through the compromise of an account of a customer user or employee of 6sense or any of its affiliates.
Vulnerabilities only affecting users of outdated or unpatched browsers
Descriptive Error Messages
CMS Application updates (e.g., WordPress security releases)
Subdomain takeovers without a complete proof of concept
Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)
Username and organization name enumeration on customer facing systems (i.e. using server responses to determine whether a given account or organization exists)
Scanner output or scanner-generated reports, including any automated or active exploit tool.
Misconfigurations in implementation of 6sense features on a 6sense customer's sites

Thank you for helping keep 6sense and our users safe!

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from 6sense.

Follow HackerOne's disclosure guidelines.

Ensure that your report contains at least the following:

The URL and any affected parameters;
The browser, OS, and/or app version; and
The perceived impact of the vulnerability being exploited.

Program Eligibility

You are at least 18 years of age.

You are not a resident of, or located in, any country against which the United States has issued sanctions or other trade restrictions and are not a person (or affiliated with a company or organization) designated in the U.S. Department of the Treasury’s Specially Designated Nationals List.

You may not engage in any security research or vulnerability disclosure activity that is inconsistent with the terms and conditions of the Policy or applicable law.

6sense employees are not eligible for participation.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we will accept the first submission that meets the criteria of complete required information submitted and is reproducible at our end.

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Social engineering (e.g., phishing, vishing, smishing) is prohibited.

Only interact with accounts you own or with explicit permission of the account holder.

When investigating vulnerabilities, avoid altering existing files, file permissions, reading sensitive information or disrupting services. Do not utilize an identified vulnerability to pivot to other hosts or services. * If sensitive information or personal information is encountered, immediately cease activities and report via the HackerOne portal

As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.

Exercise caution when testing to avoid negative impact to us and our customers and the services we and both depend on.

Do not use vulnerability scanners! For custom tooling an acceptable request rate is no more than 3 requests per second

Do not attempt to access any customer tenant/instance or data

Do not try to further pivot into the network by using a vulnerability.

Do not try to exploit service providers we use (hosting, domain registrar, email, marketing, etc.). 6sense does not authorize you to perform any actions against non-6sense owned property/system/service/data. If you are unsure if a system you discovered belongs to 6sense or not, ask first before testing further

Publicly known Zero-day vulnerabilities will not be considered until more than 30 days have passed since patch availability.

If you encounter Personally Identifiable Information (PII) contact us at [email protected] immediately. Do not proceed with access, do not upload PII, and immediately purge any such local information on your device(s), if applicable.

The 6sense security team is interested in the following vulnerabilities

Cross-Site Scripting (XSS)

Cross-Site Request Forgery (CSRF)

Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)

Insecure Direct Object References

Injection Vulnerabilities

Authentication/Authorization Vulnerabilities

Server-Side Code Execution

Privilege Escalation

Significant Security Misconfiguration (when not caused by user)

Directory Traversal

Information Disclosure

Open Redirects

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Attacks requiring MITM or physical access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Missing best practices in SSL/TLS configuration.

Any activity that could lead to the disruption of our service (DoS).

Rate limiting or brute force issues on non-authentication endpoints

Missing best practices in Content Security Policy.

Missing HttpOnly or Secure flags on cookies

Configuration of or missing security headers.

Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors).

Tabnabbing

Issues that require unlikely user interaction

Improper logout functionality and improper session timeout.

CORS misconfiguration without an exploitation scenario

Broken link hijacking

GraphQL introspection

Vulnerabilities found in third party vendor systems and integrations that 6sense or its affiliates use, which should be reported directly to the vendor according to their disclosure policy (if any). Only vulnerabilities found in 6sense’s, or its affiliate’s client-side implementation of a third-party vendor’s product or service will be eligible for submission.

Any vulnerability obtained through the compromise of an account of a customer user or employee of 6sense or any of its affiliates.

Vulnerabilities only affecting users of outdated or unpatched browsers

Descriptive Error Messages

CMS Application updates (e.g., WordPress security releases)

Subdomain takeovers without a complete proof of concept

Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)

Username and organization name enumeration on customer facing systems (i.e. using server responses to determine whether a given account or organization exists)

Scanner output or scanner-generated reports, including any automated or active exploit tool.

Misconfigurations in implementation of 6sense features on a 6sense customer's sites

Thank you for helping keep 6sense and our users safe!

6sense VDP

6sense VDP

Details

Table of Contents

I. Program Terms

II. Testing & Submission Process

Disclosure Policy

Program Eligibility

Program Rules

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

The 6sense security team is interested in the following vulnerabilities

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

Table of Contents

I. Program Terms

II. Testing & Submission Process

Disclosure Policy

Program Eligibility

Program Rules

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

The 6sense security team is interested in the following vulnerabilities

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) the security impact of the bug. The following issues are considered out of scope: