HubSpot Bug Bounty Program

Introduction

HubSpot is an AI-powered customer platform with all the software, integrations, and resources that businesses need to connect their marketing, sales, and customer service.

For this program, we're inviting researchers to test HubSpot's web applications and services with a focus of identifying security vulnerabilities that might lead to the compromise of our customer CRM records and data.

Program Highlights

• Fast Payment: Ensures payment within 1 month of receiving a vulnerability report.
• Platform Standards: Fully compliant with Platform Standards.
• Top Response Efficiency: This program's response efficiency is above 90%.

Response Metrics

• Average time to first response: 6 hours
• Average time to triage: 1 day, 18 hours
• Average time to bounty: 1 day, 13 hours
• Average time from submission to bounty: 3 days, 7 hours
• Average time to resolution: 3 weeks, 6 days

Rewards Summary

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring System). Please note these are general guidelines, and reward decisions are at the discretion of HubSpot.

Testing Instructions

Creating a HubSpot Trial Portal

• Anyone may create a trial portal by navigating to: https://offers.hubspot.com/free-trial. When signing up, please use your @WEAREHACKERONE.COM email address.

• All available functionality may be tested with the exception of email sends to email addresses you do not own. Please note, sending phishing attacks or spam from a portal will be grounds for permanent disqualification.

• With a trial account, it is possible to create an API key to send API requests. Follow these instructions for creating an API key: https://developers.hubspot.com/docs/guides/apps/authentication/intro-to-auth. API requests should fall within these API usage guidelines: https://developers.hubspot.com/docs/guides/apps/api-usage/usage-details.

• Information about HubSpot APIs, including example requests, is available at: https://developers.hubspot.com/docs/api/overview

Beta Features

We encourage researchers to test and submit any bugs or vulnerabilities you may identify within beta features. To learn more about opting your account into beta features, check out our KB reference: https://knowledge.hubspot.com/account-management/opt-your-hubspot-account-into-a-public-beta-feature

Special Reward and Bonus (CTF Challenge)

We created a portal with 1 contact record in the CRM. The record has 2 properties (firstname and a custom sensitive property called super_secret) that contain flags you need to obtain for this capture the flag challenge. Your task is to find permission-related vulnerabilities to bypass access controls (without any social engineering, user interaction, or brute-forcing) and read the firstname flag for a $15,000 USD special reward. Optionally, you may attempt to obtain the second super_secret flag for an additional $5,000 USD bonus, for a total of $20,000 USD potential reward.

The target domain for this challenge is app.hubspot.com and the target portal ID is 46962361. DO NOT attempt to access other portals you don't own. In order to be awarded the bounty, you must:

• Provide the property name and value of the flag(s) obtained. For example: firstname = <contact's first name>, super_secret = <contact's super secret info>

• Provide detailed reproduction steps so we can successfully validate the finding.

• Email your submission ID to the email address specified in the contact record's email property with the subject HubSpot CTF Challenge.

The first valid submission will be awarded the special reward. At that time, the CTF challenge will be paused while we remediate the finding and improve our defenses. Once done, we will modify the flags, make an announcement that we're resuming the challenge, and update our bounty brief to indicate that the CTF is open again.

The standard HubSpot bug bounty program rules apply. Please take the time to read the entire bounty brief before attempting this challenge.

HubSpot reserves the right to stop the CTF challenge, special reward, and bonus at any time without prior notice and reason.

Focus Areas

Authentication Flows

We highly encourage researchers to test various authentication flows including but not limited to:

• Signup (with email, Google, Apple, Microsoft)
• Login (with email, SSO, Google, Apple, Microsoft)
• MFA
• Account recovery / password reset
• OAuth

Researchers should approach these areas with a creative and critical mindset, exploring potential vulnerabilities that may lead to user account takeover and/or unauthorized access of data. Our goal is to ensure that our authentication mechanisms not only comply with industry standards but also demonstrate strong resilience against emerging threats and sophisticated attack techniques.

High Impact Findings

Overall, we are most interested in critical vulnerabilities that allow access to customer CRM records and sensitive (PHI and PII) data, HubSpot's corporate data, and our internal network. We highly encourage researchers to look for:

• Vulnerabilities (like cross-site scripting) that may lead to user account takeover
• Cross-portal data leakage and access; i.e. if you are authenticated and authorized to access portal A, you should not be able to read/modify data in portal B, unless you have also been authorized to that portal
• Server-side code execution vulnerabilities
• Sensitive data exposure

Ratings and Rewards

For the initial prioritization/rating of findings, this program will use the Common Vulnerability Scoring System (CVSS). However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood and impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher.

To maximize your reward and minimize the payout time frame, please make sure to include the following in your report:

• An attack scenario: Provides context and demonstrates how the vulnerability can be exploited in real-world conditions.
• Clear reproduction steps: Helps ensure that the vulnerability can be consistently and reliably demonstrated.
• Recommended fix: Speeds up the mitigation process and reduces the time that the system remains exposed. Providing a practical solution also showcases the researcher's understanding of the issue which enhances the credibility of the report.

Important Notice

Participating community members agree that they have appropriate rights for HubSpot to use Community Member Data as contemplated in this Program Policy and such use of Community Member Data by HubSpot will not infringe, misappropriate, or violate a third party's intellectual property rights, or rights of publicity or privacy.