Freshworks Bug Bounty Program Mission
Freshworks places the highest priority on safeguarding customer data. We deeply appreciate the contributions of security researchers in strengthening our security posture and encourage their participation in the Freshworks Bug Bounty program to help us deliver a secure and trusted experience for our customers.
Response Targets
If you discover a security vulnerability and report it in accordance with this policy, we will make reasonable efforts to:
- Acknowledge your report within 2 days of submission
- Triage the reported vulnerability within a maximum of 7 business days, depending on ticket volume
- Remediate the vulnerability in line with our security and privacy commitments
- Resolve the issue based on its severity and complexity
We will strive to keep you informed of our progress throughout the entire process.
Guidelines
- Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.
- Do not publicly disclose a bug either before or after it has been fixed. Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.
- Do not attempt to gain access to customer accounts or data.
- Do not run automated scanners or any attack that could harm the reliability/integrity of our services or data.
- Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as "whoami","id" or "hostname". Taking a reverse shell will violate the program policy and unnecessarily trigger a security incident analysis by the Freshworks CIRT team.
- Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as "sleep(5), DB version(), etc". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side.
- Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side.
- Use "document.domain" for XSS report submission. Only the domains mentioned in the "In-scope" section will be considered.
- DOS/DDOS/Spam attacks are not allowed.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.
- No breaching of any NDA, employee, customer or contractor agreements.
- No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden
- Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.
- Use specific test accounts only.
Disclosure Policy
• We do not permit public disclosure. This includes sharing details with anyone, including - but not limited to - private hacker websites or forums, social media platforms, and blogs, even after the issue has been remediated.
• Follow HackerOne's disclosure guidelines.
Reporting
Please submit your report on HackerOne using the format outlined below. Do not disclose any information about the suspected security vulnerability in any public forum without our prior written consent. Reports that do not follow this format will not be eligible for the bug bounty program.
- Vulnerability category
- Affected endpoint and parameter
- Detailed description of the vulnerability
- Step-by-step reproduction details, including a video proof of concept (PoC)
- Freshworks mobile app Android/iOS version and the device or emulator used for testing (applicable to mobile app vulnerabilities only)
- Exploitable scenario
- Recommended mitigation for the vulnerability
Non-Qualifying Criteria Vulnerabilities / Known Issues
- Html injection, Hyperlink injection, Self-XSS & XSS that doesn't make any impact
- XSS execution in the context of the AWS s3 bucket.
- Host header and banner grabbing issues
- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,
- Missing HTTP security headers and cookie flags on insensitive cookies
- Rate limiting, brute force attack
-Race Conditions without security impact.
- DNS IP Ping back request / Private IP Disclosure
- Homograph attack
- Login/logout CSRF
- Session related issues
- Email Spoofing
- Unrestricted file upload
- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.
- Disclosure of AWS s3 presigned URL. This is not a security vulnerability.
- Information disclosures in "/.well-known/" folder path locations unless it's sensitive.
- Vulnerabilities affecting Freshworks sanboxed environment.
- Formula/CSV Injection, Broken Link Highjacking
- Vulnerabilities that require physical access to the victim machine.
- User enumeration such as User email, User ID, etc.,
- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)
- Vulnerabilities found in third-party services
- EXIF data not stripped on images
- Any activity that could lead to the disruption of our service (DoS)
- Able to retrieve user's public information
- Tabnabbing
- CSP Weaknesses
- Use of a known-vulnerable library (without evidence of exploitability)
- Information Exposure from Public Sources
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices
- No password length or Long Password Upon Sign-up / Password Re-Use
- Concurrent Sessions / Number of Parallel Sessions
- Best practices concerns
- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation
- Dangling IPs takeover.
- Clickjacking that doesn't have significant security impact
- Subdomain takeovers
- Vulnerabilities identified in Freshworks Acquired Products / Services
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).
- Reports on third-party products, services, or applications not owned by Freshworks
- Able to create Support Tickets using their known email-id's (This is our products intended behaviour)
Out of Scope bugs for Android and iOS apps
- Any URIs leaked because a malicious app has permission to view URIs opened
- Sensitive data in URLs/request bodies when protected by TLS
- Path disclosure in the binary
- Strandhogg / Task Hijacking
- Lack of obfuscation and binary protection
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
- Absence of certificate pinning
- Lack of obfuscation, jailbreak and root detection
- Any kind of sensitive/encrypted data stored in app private directory
- OAuth & app secret hard-coded/recoverable in IPA
- Crashes due to malformed URL Schemes
- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment & root permission)
- Snapshot/Pasteboard leakage
- Shared links leaked through the system clipboard.
- Intent or URL Redirection leading to phishing
- Third party library 0-day
Any findings that do not show an impact to the user or product will not be accepted.
We will recognize and reward only the first reporter of a valid vulnerability. Duplicate reports will not be considered. The same vulnerability identified in multiple areas of the same or different products will be treated as a single issue. Since our web and mobile applications share the same APIs, an access control issue found in the web application that also affects the mobile application will be considered one vulnerability.
Rewards
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.
You are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the US Sanction Lists, are ineligible for rewards.
Eligibility for Critical Severity Reward
Freshworks operates a multi‑tenant, subscription‑based SaaS model. We classify as "Critical" those vulnerability categories that impact the Freshworks platform globally, rather than issues confined to an individual Freshworks instance. These include, but are not limited to:
- SQL injection vulnerabilities that could lead to database information disclosure
- Command or code injection vulnerabilities impacting the Freshworks environment
- Server‑Side Request Forgery (SSRF) vulnerabilities that could result in the exfiltration of AWS credentials or similar sensitive data etc
In short, vulnerabilities that affect only an individual Freshworks product instance will not be classified as "Critical" severity.
Reward Assessment Guidelines
In certain situations, no bounty or only a minimum bonus may be awarded. Some of the most common examples include:
-
Same vulnerability across different paths or hosts
If you believe a vulnerability exists on multiple (unique) paths or hosts, please include all affected paths and hosts in a single report. Submitting separate reports for the same vulnerability identified later on different paths or hosts will be considered duplicate submissions.
-
Same payload or issue across different parameters or functionality
Reports describing the same vulnerability affecting multiple parameters within a resource or across similar functionality, or demonstrating multiple attack vectors for a single feature, will be treated as duplicates. We encourage consolidating such findings into one comprehensive report rather than submitting them separately.
In Scope
- [Yourdomain].freshdesk.com
- [yourdomain].freshservice.com
- [Yourdomain].freshchat.com
- [Yourdomain].freshcaller.com
- [Yourdomain].myfreshworks.com
Important Note - Out of scope
Due to a product revamp, we have decided to remove Freshsales and Freshmarketer product from the HackerOne "In-scope" items. This policy will be effective from Nov 26th, 2024. Any bugs reported by HackerOne researchers before Nov 26th, 2024 will be considered by the team.
Freshsales - https://yourdomain.myfreshworks.com/crm/sales/
Freshmarketer - https://yourdomain.myfreshworks.com/crm/crm/marketer/
If you are unsure about a domain, email us at "security[at] freshworks.com" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.
Test Plan
##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.
To participate in our program, you must
- Create a trial account using your Hackerone email alias
@wearehackerone.com
- Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.
Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.
| Identifier | Format | Example |
|---|
| Username | X-Bug-Bounty:HackerOne- | X-Bug-Bounty:HackerOne-Warrior |
When testing for a bug, please also keep in mind:
Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.
Go to the below links below to start a free trial for Freshworks Suite of Products
Our Business Suites Overview:
This section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting "Cross Accounts / Organization" will be our precedence.
**Customer Service Products - Freshdesk / Freschat / Freshcaller **
Users of these suites are classified as Requesters and Agents, where Requesters are public users and Agents are Support executives/employees of an organization.
Vulnerabilities affecting Agent users from a requester viewpoint will be considered Impactful compared to the ones involving Agents within.
IT Service Products - Freshservice
CRM Products - Freshsales / Freshmarketer
These products are classified as an Internal application within the organisation. Hence, this product's Users are likely to be considered Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Freshworks and our users safe!
