Details

Responsible Disclosure of Security Vulnerabilities

FreshBooks is committed to the privacy, safety and security of our customers.

FreshBooks aims to keep its service safe for everyone, and data security is of the utmost priority. If you are a security researcher and have discovered a security vulnerability in our product, website, or service, we appreciate your help in disclosing it to us in a responsible manner.

If you are a current customer

If you feel your account may have been compromised, or if you suspect fraudulent behavior, do not hesitate to contact our support team. Your issue will be investigated immediately and thoroughly.

If you are a security researcher or have discovered a vulnerability

Reporting Issues

If you think you've found a security vulnerability in FreshBooks, contact us immediately via [email protected] (PGP Key).

PGP Key ID: 0xF7EB7EF0 PGP Fingerprint: A4D5 5735 A2E2 155D 9C69 61E6 A09C 214C F7EB 7EF0

Please include as much information as possible in your report, including a way for us to reproduce the issue. "Proof-of-Concept" programs, tools, or test accounts that you've created are welcome.
Please do not make your research or findings public (or share them with anyone) until we have had a adequate time to investigate and deploy a fix. We will notify you when the security vulnerability has been patched.
Tell us how to identify you and your company (if applicable) so we may enshrine you in our Hall of Fame section below.

Permitted Research

"Whitehat" security researchers are welcome. Though grateful for your research and proactive disclosure, FreshBooks does not tolerate the following:

any attempt to access, modify or destroy a customer's account or data
any attempt to interrupt or degrade the services offered by FreshBooks
any attempt to execute a "Denial of Service" attack
any research that involves a violation of any applicable law

Breaching the above in any way will result in contacting the relevant authorities.

When researching or investigating our service, please create your own accounts to test with. Do not attempt to "break in" to other customers' accounts.

The FreshBooks Security Team strives to be prompt in responding to security vulnerabilities and will try to respond within 48 hours to any report received. During our business hours, we will likely respond same day.

Responsible Disclosure of Security Vulnerabilities

FreshBooks is committed to the privacy, safety and security of our customers.

If you are a current customer

If you feel your account may have been compromised, or if you suspect fraudulent behavior, do not hesitate to contact our support team. Your issue will be investigated immediately and thoroughly.

If you are a security researcher or have discovered a vulnerability

Reporting Issues

If you think you've found a security vulnerability in FreshBooks, contact us immediately via [email protected] (PGP Key).

PGP Key ID: 0xF7EB7EF0 PGP Fingerprint: A4D5 5735 A2E2 155D 9C69 61E6 A09C 214C F7EB 7EF0

Please include as much information as possible in your report, including a way for us to reproduce the issue. "Proof-of-Concept" programs, tools, or test accounts that you've created are welcome.

Please do not make your research or findings public (or share them with anyone) until we have had a adequate time to investigate and deploy a fix. We will notify you when the security vulnerability has been patched.

Tell us how to identify you and your company (if applicable) so we may enshrine you in our Hall of Fame section below.

Permitted Research

"Whitehat" security researchers are welcome. Though grateful for your research and proactive disclosure, FreshBooks does not tolerate the following:

any attempt to access, modify or destroy a customer's account or data

any attempt to interrupt or degrade the services offered by FreshBooks

any attempt to execute a "Denial of Service" attack

any research that involves a violation of any applicable law

Breaching the above in any way will result in contacting the relevant authorities.

When researching or investigating our service, please create your own accounts to test with. Do not attempt to "break in" to other customers' accounts.