Frontegg
External Program
Submit bugs directly to this organization
Frontegg
Frontegg looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
Frontegg is a comprehensive developer platform designed to empower teams with self-service capabilities, robust security features, and enterprise-ready tools through a rich user-management interface, freeing up creativity and differentiation. Unlike traditional user management platforms, integrating Frontegg into your app takes minutes, unlocking a whole new level of end-user experience.
Frontegg's platform provides not only Authentication and SSO via an embeddable or hosted login box, but also a complete Admin Portal serving as the settings area for your users. The Admin Portal allows your users to control every aspect of their accounts: manage users and teams, define and assign roles and permissions, get visibility through audit logs, subscribe to webhooks, and much more. Frontegg’s interfaces are embedded as a UI layer within your app and become a customer-facing management interface for your end users, both on the personal and workspace levels. Frontegg also powers your backend through rich SDKs supported in various languages and frameworks.
Scope PLEASE MAKE SURE YOU USE ONLY THESE DOMAINS (other domains are not eligible for bounty): portal.au.frontegg.com api.au.frontegg.com Important: please use an @wearehackerone.com email when signing up.
Response Targets Frontegg will make best efforts to meet the following SLAs for hackers participating in our program:
Type of Response
SLA (Business Days)
First Response
2 days
Time to Triage
2 days
Time to Bounty
14 days
Time to Resolution
Depends on severity and complexity
We’ll try to keep you informed about our progress throughout the process.
Focus Areas We are most interested in critical vulnerabilities related to authentication and access:
Account takeover
Cross-tenant manipulation
Privilege escalation
Bypassing security features (e.g., MFA, restrictions, session management)
Disclosure Policy Follow HackerOne's disclosure guidelines.
Instructions
Sign up to Frontegg Portal and Complete Onboarding:
Sign up at https://portal.au.frontegg.com using your @wearehackerone.com email address.
Complete the onboarding process.
You will receive a unique Frontegg base URL (e.g., https://xxxxxx.au.frontegg.com) and a client ID. Save these for later use.
Download and Set Up Your Frontegg App:
Clone: https://github.com/frontegg/testing-demo-app
Run npm install or yarn install.
Open the codebase and update index.js with your Frontegg base URL and client ID.
Start the app using npm start or yarn start.
Customize the App:
Go to the "Builder" section at https://portal.au.frontegg.com.
Enable/disable features for testing.
Save and publish your changes.
You can also adjust settings under Environments -> [Dev/Stg/Prod] -> Authentication/Authorization.
Program Rules
Please provide detailed reports with clear, reproducible steps to demonstrate the issue. Incomplete reports are not eligible.
Submit one vulnerability per report unless chaining is required.
The first valid report is rewarded in case of duplicates.
Multiple issues from one root cause may receive one bounty.
Avoid privacy violations, data destruction, or service disruption.
Test only within the listed domains.
Exclusions
Social engineering of any kind, including phishing or pretexting against Frontegg employees or users
Email configuration issues (e.g., SPF, DKIM, DMARC) configuration (SPF, DKIM, DMARC)
Verbose error messages and minor headers issues
Clickjacking on non-sensitive pages
Best practices only (e.g., weak TLS, missing HTTP headers)
Vulnerabilities requiring MITM or physical access
Known vulnerable libraries without PoC
Minor UI issues or outdated browser impact only
Public 0-days with patch < 30 days
Open redirect unless impactful
Excessive role permissions (known issue)
Ratings/Rewards Initial vulnerability ratings are based on CVSS. Ratings may be adjusted based on real-world impact and exploitability. If a report is reprioritized, we will provide a clear explanation and allow the researcher to appeal. Adjustments may be made based on likelihood or impact. If a report is downgraded, we will provide an explanation and offer the opportunity to appeal.
Requirements
Use only your @wearehackerone.com email.
All testing must be done as a Frontegg customer.
Do not access customer data or accounts.
If you discover a potential data leak, report it but do not exploit it.
Safe Harbor Activities conducted within this policy are authorized. If legal action is initiated by a third party, we will confirm your actions were in accordance with this policy.
Thank you for helping keep Frontegg and our users safe!