Insightly
External Program
Submit bugs directly to this organization
Insightly
No technology is perfect, and Insightly believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
When you sign up for a free trial, you are creating a new tenant of Insightly. In the real world this translates to a single company purchasing a tenant of Insightly and allowing their entire user base to access it. When you sign up for two different free trials, you are essentially creating two different tenants of Insightly - or what would be used by two different organizations that aren't affiliated.
Single-tenant vulnerabilities rely on a malicious user attacking their own organization, which we feel has a much lower liklihood.
Multi-tenant vulnerabilities allow a malicious user to attack another organization, which is the threat model we are most concerned about.
Accordingly, we have split up our bounty tables, to reward multi-tenant vulnerabilities at a higher scale.
Out of scope Permission escalations within a single tenant unless security impact can be proven.
While researching, we'd like to ask you to refrain from:
We generally do not accept reports that are simply the output from an automated security scanner (even lightly annotated). Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.
If a report is a duplicate, we won't award a bounty or reputation. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.
A specific vulnerable behavior found in one part of Insightly's platform is not necessarily eligible for a bounty if an identical problem is uncovered in another part of the Insightly platform, though we'll assess this on a case-by-case basis. If the same vulnerability affects multiple parts of the product, please let us know in a single report—we'll take that into consideration when assessing severity (such a vulnerability might be eligible for a higher reward), and when marking reports as resolved. For example, if we fail to sanitize URLs in five parts of the platform, that should probably be one report, not five.
Attacks that are beyond Insightly's control are generally out of scope. These include:
We also ask for an exploit or proof of concept for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:
We also consider the following areas to be out of scope, though there may be some exceptions:
If you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!
Insightly uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.
If the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are not eligible for the default bounty amounts listed in the "Areas in scope" section above, and the bounty amount will be determined on a case-by-case basis.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Insightly and our users safe!