6sense processes Personal Information in accordance with its Privacy Policy, which is located at https://6sense.com/privacy-policy/.

Please read the rules and guidelines of this policy (the “Policy”) carefully before submitting a report. By participating in our Vulnerability Disclosure Program (“Program”) and submitting your findings, you confirm that you meet our Program Eligibility terms and accept and agree to be bound by this Policy.

Table of Contents

I. Program Terms

• Program Eligibility
• Program Rules

II. Testing & Submission Process

• In-scope vulnerabilities
• Out of scope vulnerabilities

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from 6sense.
• Follow HackerOne's disclosure guidelines.
• Ensure that your report contains at least the following:
  • The URL and any affected parameters;
  • The browser, OS, and/or app version; and
  • The perceived impact of the vulnerability being exploited.

Program Eligibility

• You are at least 18 years of age.
• You are not a resident of, or located in, any country against which the United States has issued sanctions or other trade restrictions and are not a person (or affiliated with a company or organization) designated in the U.S. Department of the Treasury’s Specially Designated Nationals List.
• You may not engage in any security research or vulnerability disclosure activity that is inconsistent with the terms and conditions of the Policy or applicable law.
• 6sense employees are not eligible for participation.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we will accept the first submission that meets the criteria of complete required information submitted and is reproducible at our end.
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
• Social engineering (e.g., phishing, vishing, smishing) is prohibited.
• Only interact with accounts you own or with explicit permission of the account holder.
• When investigating vulnerabilities, avoid altering existing files, file permissions, reading sensitive information or disrupting services. Do not utilize an identified vulnerability to pivot to other hosts or services. * If sensitive information or personal information is encountered, immediately cease activities and report via the HackerOne portal
• As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
• Exercise caution when testing to avoid negative impact to us and our customers and the services we and both depend on.
• Do not use vulnerability scanners! For custom tooling an acceptable request rate is no more than 3 requests per second
• Do not attempt to access any customer tenant/instance or data
• Do not try to further pivot into the network by using a vulnerability.
• Do not try to exploit service providers we use (hosting, domain registrar, email, marketing, etc.). 6sense does not authorize you to perform any actions against non-6sense owned property/system/service/data. If you are unsure if a system you discovered belongs to 6sense or not, ask first before testing further
• Publicly known Zero-day vulnerabilities will not be considered until more than 30 days have passed since patch availability.
• If you encounter Personally Identifiable Information (PII) contact us at [email protected] immediately. Do not proceed with access, do not upload PII, and immediately purge any such local information on your device(s), if applicable.

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

• “X-HackerOne-Research: [H1 username]”

The 6sense security team is interested in the following vulnerabilities

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)
• Insecure Direct Object References
• Injection Vulnerabilities
• Authentication/Authorization Vulnerabilities
• Server-Side Code Execution
• Privilege Escalation
• Significant Security Misconfiguration (when not caused by user)
• Directory Traversal
• Information Disclosure
• Open Redirects

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Rate limiting or brute force issues on non-authentication endpoints
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies
• Configuration of or missing security headers.
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors).
• Tabnabbing
• Issues that require unlikely user interaction
• Improper logout functionality and improper session timeout.
• CORS misconfiguration without an exploitation scenario
• Broken link hijacking
• GraphQL introspection
• Vulnerabilities found in third party vendor systems and integrations that 6sense or its affiliates use, which should be reported directly to the vendor according to their disclosure policy (if any). Only vulnerabilities found in 6sense’s, or its affiliate’s client-side implementation of a third-party vendor’s product or service will be eligible for submission.
• Any vulnerability obtained through the compromise of an account of a customer user or employee of 6sense or any of its affiliates.
• Vulnerabilities only affecting users of outdated or unpatched browsers
• Descriptive Error Messages
• CMS Application updates (e.g., WordPress security releases)
• Subdomain takeovers without a complete proof of concept
• Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)
• Username and organization name enumeration on customer facing systems (i.e. using server responses to determine whether a given account or organization exists)
• Scanner output or scanner-generated reports, including any automated or active exploit tool.
• Misconfigurations in implementation of 6sense features on a 6sense customer's sites

Thank you for helping keep 6sense and our users safe!