[{"id":3769722,"new_policy":"# Freshworks Bug Bounty Program Mission\nFreshworks places the highest priority on safeguarding customer data. We deeply appreciate the contributions of security researchers in strengthening our security posture and encourage their participation in the Freshworks Bug Bounty program to help us deliver a secure and trusted experience for our customers.\n\n# Response Targets\nIf you discover a security vulnerability and report it in accordance with this policy, we will make reasonable efforts to:\n- Acknowledge your report within 2 days of submission\n- Triage the reported vulnerability within a maximum of 7 business days, depending on ticket volume\n- Remediate the vulnerability in line with our security and privacy commitments\n- Resolve the issue based on its severity and complexity\nWe will strive to keep you informed of our progress throughout the entire process.\n\n# Guidelines\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners or any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as \"sleep(5), DB version(), etc\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the \"In-scope\" section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• We do not permit public disclosure. This includes sharing details with anyone, including - but not limited to - private hacker websites or forums, social media platforms, and blogs, even after the issue has been remediated.\n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\nPlease submit your report on HackerOne using the format outlined below. Do not disclose any information about the suspected security vulnerability in any public forum without our prior written consent. Reports that do not follow this format will not be eligible for the bug bounty program.\n\n* Vulnerability category\n* Affected endpoint and parameter\n* Detailed description of the vulnerability\n* Step-by-step reproduction details, including a video proof of concept (PoC)\n* Freshworks mobile app Android/iOS version and the device or emulator used for testing (applicable to mobile app vulnerabilities only)\n* Exploitable scenario\n* Recommended mitigation for the vulnerability\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Hyperlink injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n-Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Information disclosures in \"/.well-known/\" folder path locations unless it's sensitive.\n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection, Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking that doesn't have significant security impact\n- Subdomain takeovers\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n-  Able to create Support Tickets using their known email-id's (This is our products intended behaviour) \n\n# Out of Scope bugs for Android and iOS apps\n- Any URIs leaked because a malicious app has permission to view URIs opened\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in the binary\n- Strandhogg / Task Hijacking\n- Lack of obfuscation and binary protection\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Absence of certificate pinning\n- Lack of obfuscation, jailbreak and root detection\n- Any kind of sensitive/encrypted data stored in app private directory\n- OAuth \u0026 app secret hard-coded/recoverable in IPA\n- Crashes due to malformed URL Schemes\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment \u0026 root permission)\n- Snapshot/Pasteboard leakage\n- Shared links leaked through the system clipboard.\n- Intent or URL Redirection leading to phishing\n- Third party library 0-day\n\n## Any findings that do not show an impact to the user or product will not be accepted.\n\nWe will recognize and reward only the first reporter of a valid vulnerability. Duplicate reports will not be considered. The same vulnerability identified in multiple areas of the same or different products will be treated as a single issue. Since our web and mobile applications share the same APIs, an access control issue found in the web application that also affects the mobile application will be considered one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Eligibility for Critical Severity Reward\nFreshworks operates a multi‑tenant, subscription‑based SaaS model. We classify as \"Critical\" those vulnerability categories that impact the Freshworks platform globally, rather than issues confined to an individual Freshworks instance. These include, but are not limited to:\n- SQL injection vulnerabilities that could lead to database information disclosure\n- Command or code injection vulnerabilities impacting the Freshworks environment\n- Server‑Side Request Forgery (SSRF) vulnerabilities that could result in the exfiltration of AWS credentials or similar sensitive data etc\nIn short, vulnerabilities that affect only an individual Freshworks product instance will not be classified as \"Critical\" severity.\n\n# Reward Assessment Guidelines\nIn certain situations, no bounty or only a minimum bonus may be awarded. Some of the most common examples include:\n\n1. Same vulnerability across different paths or hosts\nIf you believe a vulnerability exists on multiple (unique) paths or hosts, please include all affected paths and hosts in a single report. Submitting separate reports for the same vulnerability identified later on different paths or hosts will be considered duplicate submissions.\n\n2. Same payload or issue across different parameters or functionality\nReports describing the same vulnerability affecting multiple parameters within a resource or across similar functionality, or demonstrating multiple attack vectors for a single feature, will be treated as duplicates. We encourage consolidating such findings into one comprehensive report rather than submitting them separately.\n\n# In Scope\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n\n# Important Note - Out of scope\nDue to a product revamp, we have decided to remove Freshsales and Freshmarketer product from the HackerOne \"In-scope\" items. This policy will be effective from Nov 26th, 2024. Any bugs reported by HackerOne researchers before Nov 26th, 2024 will be considered by the team. \n\nFreshsales - https://yourdomain.myfreshworks.com/crm/sales/\nFreshmarketer - https://yourdomain.myfreshworks.com/crm/crm/marketer/\n\n**If you are unsure about a domain, email us at \"security[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requesters_ and _Agents_, where _Requesters_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requester viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-16T10:26:32.625Z"},{"id":3745239,"new_policy":"# Freshworks Bug Bounty Program\nFreshworks is committed to protecting customer data with the highest priority. We genuinely value the contribution of security researchers in supporting the organization's security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and help us achieve our objective of providing a secure computing experience to our customers.\n\n# Response Targets\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners or any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as \"sleep(5), DB version(), etc\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the \"In-scope\" section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• We do not allow public disclosure. It means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Android/iOS version of the Freshworks mobile app and the device/emulator used while testing the application (  Applicable for vulnerabilities identified in mobile apps )\n* Exploitable scenario \n* Mitigation of vulnerability\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Hyperlink injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n-Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Information disclosures in \"/.well-known/\" folder path locations unless it's sensitive.\n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection, Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking that doesn't have significant security impact\n- Subdomain takeovers\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n-  Able to create Support Tickets using their known email-id's (This is our products intended behaviour) \n\n# Out of Scope bugs for Android and iOS apps\n- Any URIs leaked because a malicious app has permission to view URIs opened\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in the binary\n- Strandhogg / Task Hijacking\n- Lack of obfuscation and binary protection\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Absence of certificate pinning\n- Lack of obfuscation, jailbreak and root detection\n- Any kind of sensitive/encrypted data stored in app private directory\n- OAuth \u0026 app secret hard-coded/recoverable in IPA\n- Crashes due to malformed URL Schemes\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment \u0026 root permission)\n- Snapshot/Pasteboard leakage\n- Shared links leaked through the system clipboard.\n- Intent or URL Redirection leading to phishing\n- Third party library 0-day\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter with a valid vulnerability, and duplicates will not be considered. Also, the same vulnerability in multiple areas across the same/different product will be treated as one vulnerability. We share the same APIs between web and mobile applications. An access control issue on the web application will likely be observed in mobile applications, and it will be considered a single bug.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n- Freshservice Discovery Agent and Probe\n\n# Important Note - Out of scope\nDue to a product revamp, we have decided to remove Freshsales and Freshmarketer product from the HackerOne \"In-scope\" items. This policy will be effective from Nov 26th, 2024. Any bugs reported by HackerOne researchers before Nov 26th, 2024 will be considered by the team. \n\nFreshsales - https://yourdomain.myfreshworks.com/crm/sales/\nFreshmarketer - https://yourdomain.myfreshworks.com/crm/crm/marketer/\n\n**If you are unsure about a domain, email us at \"security[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n#Freshservice Discovery Agent and Probe\n- Discovery Agent - Collects the machine’s hardware and software information and update the Freshservice account regularly without needing further intervention from the respective user(s)\n- Discovery Probe - Automatically scans and identifies any assets in your network through a domain or IP Range scan. Once the assets are identified the first time, these assets are then updated periodically in the Freshservice account based on the schedule that you can control.\n\nRefer to the following article for more information: https://support.freshservice.com/en/support/solutions/articles/223633-discovering-and-managing-it-assets-with-freshservice-discovery-beginner-s-guide\n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requesters_ and _Agents_, where _Requesters_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requester viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-25T17:55:54.804Z"},{"id":3725836,"new_policy":"# Freshworks Bug Bounty Program\nFreshworks is committed to protecting customer data with the highest priority. We genuinely value the contribution of security researchers in supporting the organization's security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and help us achieve our objective of providing a secure computing experience to our customers.\n\n# Response Targets\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners or any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as \"sleep(5), DB version(), etc\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the \"In-scope\" section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• We do not allow public disclosure. It means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Android/iOS version of the Freshworks mobile app and the device/emulator used while testing the application (  Applicable for vulnerabilities identified in mobile apps )\n* Exploitable scenario \n* Mitigation of vulnerability\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Hyperlink injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n-Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Information disclosures in \"/.well-known/\" folder path locations unless it's sensitive.\n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection, Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking that doesn't have significant security impact\n- Subdomain takeovers\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n-  Able to create Support Tickets using their known email-id's (This is our products intended behaviour) \n\n# Out of Scope bugs for Android and iOS apps\n- Any URIs leaked because a malicious app has permission to view URIs opened\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in the binary\n- Strandhogg / Task Hijacking\n- Lack of obfuscation and binary protection\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Absence of certificate pinning\n- Lack of obfuscation, jailbreak and root detection\n- Any kind of sensitive/encrypted data stored in app private directory\n- OAuth \u0026 app secret hard-coded/recoverable in IPA\n- Crashes due to malformed URL Schemes\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment \u0026 root permission)\n- Snapshot/Pasteboard leakage\n- Shared links leaked through the system clipboard.\n- Intent or URL Redirection leading to phishing\n- Third party library 0-day\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter with a valid vulnerability, and duplicates will not be considered. Also, the same vulnerability in multiple areas across the same/different product will be treated as one vulnerability. We share the same APIs between web and mobile applications. An access control issue on the web application will likely be observed in mobile applications, and it will be considered a single bug.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n- Freshservice Discovery Agent and Probe\n\n**If you are unsure about a domain, email us at \"security[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n#Freshservice Discovery Agent and Probe\n- Discovery Agent - Collects the machine’s hardware and software information and update the Freshservice account regularly without needing further intervention from the respective user(s)\n- Discovery Probe - Automatically scans and identifies any assets in your network through a domain or IP Range scan. Once the assets are identified the first time, these assets are then updated periodically in the Freshservice account based on the schedule that you can control.\n\nRefer to the following article for more information: https://support.freshservice.com/en/support/solutions/articles/223633-discovering-and-managing-it-assets-with-freshservice-discovery-beginner-s-guide\n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requesters_ and _Agents_, where _Requesters_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requester viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-13T08:29:00.698Z"},{"id":3725208,"new_policy":"# Freshworks Bug Bounty Program\nFreshworks is committed to protecting customer data with the highest priority. We genuinely value the contribution of security researchers in supporting the organization's security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and help us achieve our objective of providing a secure computing experience to our customers.\n\n# Response Targets\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners or any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as \"sleep(5), DB version(), etc\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the \"In-scope\" section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• We do not allow public disclosure. It means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Hyperlink injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n-Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Information disclosures in \"/.well-known/\" folder path locations unless it's sensitive.\n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection, Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking that doesn't have significant security impact\n- Subdomain takeovers\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n-  Able to create Support Tickets using their known email-id's (This is our products intended behaviour) \n\n# Out of Scope bugs for Android and iOS apps\n- Any URIs leaked because a malicious app has permission to view URIs opened\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in the binary\n- Strandhogg / Task Hijacking\n- Lack of obfuscation and binary protection\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Absence of certificate pinning\n- Lack of obfuscation, jailbreak and root detection\n- Any kind of sensitive/encrypted data stored in app private directory\n- OAuth \u0026 app secret hard-coded/recoverable in IPA\n- Crashes due to malformed URL Schemes\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment \u0026 root permission)\n- Snapshot/Pasteboard leakage\n- Shared links leaked through the system clipboard.\n- Intent or URL Redirection leading to phishing\n- Third party library 0-day\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter with a valid vulnerability, and duplicates will not be considered. Also, the same vulnerability in multiple areas across the same/different product will be treated as one vulnerability. We share the same APIs between web and mobile applications. An access control issue on the web application will likely be observed in mobile applications, and it will be considered a single bug.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n- Freshservice Discovery Agent and Probe\n\n**If you are unsure about a domain, email us at \"security[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n#Freshservice Discovery Agent and Probe\n- Discovery Agent - Collects the machine’s hardware and software information and update the Freshservice account regularly without needing further intervention from the respective user(s)\n- Discovery Probe - Automatically scans and identifies any assets in your network through a domain or IP Range scan. Once the assets are identified the first time, these assets are then updated periodically in the Freshservice account based on the schedule that you can control.\n\nRefer to the following article for more information: https://support.freshservice.com/en/support/solutions/articles/223633-discovering-and-managing-it-assets-with-freshservice-discovery-beginner-s-guide\n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requesters_ and _Agents_, where _Requesters_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requester viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-08T05:40:03.929Z"},{"id":3724851,"new_policy":"# Freshworks Bug Bounty Program\nFreshworks is committed to protecting customer data with the highest priority. We genuinely value the contribution of security researchers in supporting the organization's security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and help us achieve our objective of providing a secure computing experience to our customers.\n\n# Response Targets\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners or any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as \"sleep(5), DB version(), etc\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the \"In-scope\" section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• We do not allow public disclosure. It means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Hyperlink injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n-Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Information disclosures in \"/.well-known/\" folder path locations unless it's sensitive.\n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection, Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking that doesn't have significant security impact\n- Subdomain takeovers\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n-  Able to create Support Tickets using their known email-id's (This is our products intended behaviour) \n\n# Out of Scope bugs for Android and iOS apps\n- Any URIs leaked because a malicious app has permission to view URIs opened\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in the binary\n- Strandhogg / Task Hijacking\n- Lack of obfuscation and binary protection\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Absence of certificate pinning\n- Lack of obfuscation, jailbreak and root detection\n- Any kind of sensitive/encrypted data stored in app private directory\n- OAuth \u0026 app secret hard-coded/recoverable in IPA\n- Crashes due to malformed URL Schemes\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment \u0026 root permission)\n- Snapshot/Pasteboard leakage\n- Shared links leaked through the system clipboard.\n- Intent or URL Redirection leading to phishing\n- Third party library 0-day\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n- Freshservice Discovery Agent and Probe\n\n**If you are unsure about a domain, email us at \"security[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n#Freshservice Discovery Agent and Probe\n- Discovery Agent - Collects the machine’s hardware and software information and update the Freshservice account regularly without needing further intervention from the respective user(s)\n- Discovery Probe - Automatically scans and identifies any assets in your network through a domain or IP Range scan. Once the assets are identified the first time, these assets are then updated periodically in the Freshservice account based on the schedule that you can control.\n\nRefer to the following article for more information: https://support.freshservice.com/en/support/solutions/articles/223633-discovering-and-managing-it-assets-with-freshservice-discovery-beginner-s-guide\n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requesters_ and _Agents_, where _Requesters_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requester viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-03T14:15:37.701Z"},{"id":3724819,"new_policy":"# Freshworks Bug Bounty Program\nFreshworks is committed to protecting customer data with the highest priority. We genuinely value the contribution of security researchers in supporting the organization's security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and help us achieve our objective of providing a secure computing experience to our customers.\n\n# Response Targets\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners or any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as \"sleep(5), DB version(), etc\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the \"In-scope\" section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• We do not allow public disclosure. It means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Hyperlink injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n-Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Information disclosures in \"/.well-known/\" folder path locations unless it's sensitive.\n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection, Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking that doesn't have significant security impact\n- Subdomain takeovers\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n-  Able to create Support Tickets using their known email-id's (This is our products intended behaviour) \n\n# Out of Scope bugs for Android and iOS apps\n- Any URIs leaked because a malicious app has permission to view URIs opened\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in the binary\n- Lack of obfuscation and binary protection\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Absence of certificate pinning\n- Lack of obfuscation, jailbreak and root detection\n- Any kind of sensitive/encrypted data stored in app private directory\n- OAuth \u0026 app secret hard-coded/recoverable in IPA\n- Crashes due to malformed URL Schemes\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment \u0026 root permission)\n- Snapshot/Pasteboard leakage\n- Shared links leaked through the system clipboard.\n- Intent or URL Redirection leading to phishing\n- Third party library 0-day\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n- Freshservice Discovery Agent and Probe\n\n**If you are unsure about a domain, email us at \"security[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n#Freshservice Discovery Agent and Probe\n- Discovery Agent - Collects the machine’s hardware and software information and update the Freshservice account regularly without needing further intervention from the respective user(s)\n- Discovery Probe - Automatically scans and identifies any assets in your network through a domain or IP Range scan. Once the assets are identified the first time, these assets are then updated periodically in the Freshservice account based on the schedule that you can control.\n\nRefer to the following article for more information: https://support.freshservice.com/en/support/solutions/articles/223633-discovering-and-managing-it-assets-with-freshservice-discovery-beginner-s-guide\n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requesters_ and _Agents_, where _Requesters_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requester viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-03T09:19:28.188Z"},{"id":3723583,"new_policy":"# Freshworks Bug Bounty Program\nFreshworks is committed to protecting customer data with the highest priority. We genuinely value the contribution of security researchers in supporting the organization's security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and help us achieve our objective of providing a secure computing experience to our customers.\n\n# Response Targets\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners or any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as \"sleep(5), DB version(), etc\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the \"In-scope\" section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• We do not allow public disclosure. It means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Hyperlink injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n-Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Information disclosures in \"/.well-known/\" folder path locations unless it's sensitive.\n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection, Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking that doesn't have significant security impact\n- Subdomain takeovers\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n-  Able to create Support Tickets using their known email-id's (This is our products intended behaviour) \n- All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope.\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n- Freshservice Discovery Agent and Probe\n\n**If you are unsure about a domain, email us at \"security[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n#Freshservice Discovery Agent and Probe\n- Discovery Agent - Collects the machine’s hardware and software information and update the Freshservice account regularly without needing further intervention from the respective user(s)\n- Discovery Probe - Automatically scans and identifies any assets in your network through a domain or IP Range scan. Once the assets are identified the first time, these assets are then updated periodically in the Freshservice account based on the schedule that you can control.\n\nRefer to the following article for more information: https://support.freshservice.com/en/support/solutions/articles/223633-discovering-and-managing-it-assets-with-freshservice-discovery-beginner-s-guide\n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requesters_ and _Agents_, where _Requesters_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requester viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-16T13:24:23.269Z"},{"id":3723580,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as \"sleep(5), DB version(), etc\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the \"In-scope\" section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Hyperlink injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Information disclosures in \"/.well-known/\" folder path locations unless it's sensitive.\n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n- ** Able to create Support Tickets using their known email-id's (This is our products intended behaviour) ** \n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n- Freshservice Discovery Agent and Probe\n\n**If you are unsure about a domain, email us at \"security[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n#Freshservice Discovery Agent and Probe\n- Discovery Agent - Collects the machine’s hardware and software information and update the Freshservice account regularly without needing further intervention from the respective user(s)\n- Discovery Probe - Automatically scans and identifies any assets in your network through a domain or IP Range scan. Once the assets are identified the first time, these assets are then updated periodically in the Freshservice account based on the schedule that you can control.\n\nRefer to the following article for more information: https://support.freshservice.com/en/support/solutions/articles/223633-discovering-and-managing-it-assets-with-freshservice-discovery-beginner-s-guide\n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-16T13:04:31.199Z"},{"id":3723579,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as \"sleep(5), DB version(), etc\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the \"In-scope\" section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Hyperlink injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Information disclosures in \"/.well-known/\" folder path locations unless it's sensitive.\n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n- ** Able to create Support Tickets using their known email-id's (This is our products intended behaviour) ** \n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n- Freshservice Discovery Agent and Probe\n\n**If you are unsure about a domain, email us at \"security[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-16T12:51:00.456Z"},{"id":3723484,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as \"sleep(5), DB version(), etc\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the \"In-scope\" section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Hyperlink injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Information disclosures in \"/.well-known/\" folder path locations unless it's sensitive.\n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n- ** Able to create Support Tickets using their known email-id's (This is our products intended behaviour) ** \n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n\n**If you are unsure about a domain, email us at \"bughunt[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-15T06:59:59.206Z"},{"id":3723447,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as \"sleep(5), DB version(), etc\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the \"In-scope\" section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Hyperlink injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Information disclosures in \"/.well-known/\" folder path locations unless it's sensitive.\n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n- ** Able to create Support Tickets using their known email-id's (This is our products intended behaviour) ** \n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \nNote: Orchestration Center module in Freshservice is out of scope.\n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n\n**If you are unsure about a domain, email us at \"bughunt[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-14T08:01:14.765Z"},{"id":3723446,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless commands such as \"sleep(5), DB version(), etc\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Do not use the exfiltrated EC2 metadata secrets to access the AWS resources if you find an SSRF. We will validate the impact from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the \"In-scope\" section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Hyperlink injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other security impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n- ** Able to create Support Tickets using their known email-id's (This is our products intended behaviour) ** \n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \nNote: Orchestration Center module in Freshservice is out of scope.\n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n\n**If you are unsure about a domain, email us at \"bughunt[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-14T07:48:30.270Z"},{"id":3723362,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will violate the program policy and  unnecessarily trigger a security incident analysis by the Freshworks CIRT team. \n* Do not exploit the SQL Injection vulnerability by running SQLmap or any other automated SQLi exploitation tool. Use harmless command such as \"sleep(5)\". If you suspect the presence of the SQL Injection vulnerability, please report it. We will validate it from our side. \n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the In-scope section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n- ** Able to create Support Tickets using their known email-id's (This is our products intended behaviour) ** \n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \nNote: Orchestration Center module in Freshservice is out of scope.\n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n\n**If you are unsure about a domain, email us at \"bughunt[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-12T13:05:02.962Z"},{"id":3723345,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* Do not take a reverse shell. If you happen to find an RCE, please execute only harmless commands such as \"whoami\",\"id\" or \"hostname\". Taking a reverse shell will unnecessarily trigger a security incident analysis.\n* Use \"document.domain\" for XSS report submission. Only the domains mentioned in the In-scope section will be considered.\n* DOS/DDOS/Spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Self-XSS \u0026 XSS that doesn't make any impact\n- XSS execution in the context of the AWS s3 bucket.\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Race Conditions without security impact.\n- DNS IP Ping back request / Private IP Disclosure\n- Homograph attack \n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections - Unless you can chain open redirection to XSS, stealing tokens, or any other impactful bugs.\n- Disclosure of AWS s3 presigned URL. This is not a security vulnerability. \n- Vulnerabilities affecting Freshworks sanboxed environment.\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC). Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC/CAA records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs takeover.\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n- ** Able to create Support Tickets using their known email-id's (This is our products intended behaviour) ** \n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \nNote: Orchestration Center module in Freshservice is out of scope.\n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n\n**If you are unsure about a domain, email us at \"bughunt[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-12T12:35:01.469Z"},{"id":3708456,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* DDoS/spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Self-XSS \u0026 XSS that doesn't make any impact\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC) Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n- ** Able to create Support Tickets using their known email-id's (This is our products intended behaviour) ** \n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \nNote: Orchestration Center module in Freshservice is out of scope.\n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com\n\n**If you are unsure about a domain, email us at \"bughunt[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-03T13:56:19.998Z"},{"id":3705489,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* DDoS/spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Self-XSS \u0026 XSS that doesn't make any impact\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC) Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n- ** Able to create Support Tickets using their known email-id's (This is our products intended behaviour) ** \n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\nYou are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the [US Sanction Lists](https://ofac.treasury.gov/sanctions-programs-and-country-information), are ineligible for rewards.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \nNote: Orchestration Center module in Freshservice is out of scope.\n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com/crm/\n\n\n**If you are unsure about a domain, email us at \"bughunt[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-20T06:26:42.754Z"},{"id":3698412,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* DDoS/spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Self-XSS \u0026 XSS that doesn't make any impact\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC) Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n- ** Able to create Support Tickets using their known email-id's (This is our products intended behaviour) ** \n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \nNote: Orchestration Center module in Freshservice is out of scope.\n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com/crm/\n\n\n**If you are unsure about a domain, email us at \"bughunt[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-18T06:32:48.815Z"},{"id":3690363,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* DDoS/spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Self-XSS \u0026 XSS that doesn't make any impact\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC) Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \nNote: Orchestration Center module in Freshservice is out of scope.\n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com/crm/\n\n\n**If you are unsure about a domain, email us at \"bughunt[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n\n# Test Plan\n\n##Automated Scanning is strictly Prohibited. Failing might get you banned from the program.\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n* Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nInclude a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.\n\n| Identifier | Format                          | Example                       |\n|------------|---------------------------------|--------------------------------|\n| Username   | X-Bug-Bounty:HackerOne-\u003cusername\u003e | X-Bug-Bounty:HackerOne-Warrior |\n\n\nWhen testing for a bug, please also keep in mind:\nMinimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.\n\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-05T06:46:17.095Z"},{"id":3689246,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* DDoS/spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Self-XSS \u0026 XSS that doesn't make any impact\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC) Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (Eg. stack traces, application or server errors).\n- Reports on third-party products, services, or applications not owned by Freshworks\n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \nNote: Orchestration Center module in Freshservice is out of scope.\n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com/crm/\n\n\n**If you are unsure about a domain, email us at \"bughunt[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n\n# Test Plan / Accounts\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-13T06:00:04.787Z"},{"id":3689243,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* DDoS/spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Self-XSS \u0026 XSS that doesn't make any impact\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC) Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites / Weak Password Policy / Password best practices\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Reports on third-party products, services, or applications not owned by Freshworks\n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \nNote: Orchestration Center module in Freshservice is out of scope.\n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com/crm/\n\n\n**If you are unsure about a domain, email us at \"bughunt[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n\n# Test Plan / Accounts\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-13T02:11:46.272Z"},{"id":3689182,"new_policy":"# Latest Updates - Freshworks Microblog\n*In this microblog we will keep you updated on the latest changes/ additions to our bounty program. For a detailed scope, please see the bottom of our policy page.*\n\n**20 April 2023** - We added our business suites overview\n\n**15 March 2023** - Updates in the Policy Page\n- Vulnerability Severity Range\n- Reward Assessment Guidelines\n\n**27 October 2022** - We have added Product Updates / Feature Releases Page for products covered under program scope.\n    - [Freshdesk Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Support%20Desk)\n    - [Freshservice Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshservice )\n    - [Freshchat Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshchat)\n    - [Freshcaller Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshdesk%20Contact%20Center)\n    - [Freshmarketer Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshmarketer)\n    - [Freshsales Release Notes](https://community.freshworks.com/product-updates?filters%5BproductArea%5D%5B0%5D=Freshsales)\n\n\n# Freshworks Bug Bounty Program\nFreshworks is committed to the protection of customer data and treats it with the highest priority. We genuinely value the contribution of security researchers in supporting organizations to better their security posture. Thus, we encourage them to participate in the Freshworks Bug Bounty program and support us in our objective to provide a secure computing experience to our customers.\nHappy hacking!\n\n# Response Targets\n\nIf you identify a security vulnerability in compliance with this policy, we will use reasonable efforts to:\n- Acknowledge the report within 2 days of submission\n- Triage the reported vulnerability based on the volume of tickets within a maximum period of 7 business days\n- Fix the vulnerability in accordance with our commitments to security and privacy.\n- Time to Resolution depends on severity and complexity\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Guidelines\n\n* Do not attempt to compromise the confidentiality, integrity, and availability of our services/customer data or circumvent our privacy protections.\n* Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private \"Hacker\" websites and forums, social media platforms, blogs, or any other type of public disclosure.\n* Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc., even if marked private.\n* Do not attempt to gain access to customer accounts or data.\n* Do not run automated scanners.\n* Do not perform any attack that could harm the reliability/integrity of our services or data. \n* DDoS/spam attacks are not allowed.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Freshworks current and former employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.\n* No breaching of any NDA, employee, customer or contractor agreements.\n* No leveraging of customer accounts, interacting with real customers or customer’s public websites is forbidden\n* Do not store, share, compromise or destroy any Freshworks or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.\n* Use specific test accounts only.\n\n# Disclosure Policy\n• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program. \n• Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reporting\n\nPlease submit your report in the below-mentioned format in Hackerone. Do not disclose any details about the suspected security vulnerability in any public forum without prior written consent from us. Any deviation from the below format will not be eligible for our bug bounty program:\n\n* Vulnerability category\n* Affected endpoint and parameter\n* A detailed description of the vulnerability\n* Detailed steps to reproduce and video POC\n* Exploitable scenario \n* Mitigation of vulnerability\n\n\n# Non-Qualifying Criteria Vulnerabilities / Known Issues\n- Html injection, Self-XSS \u0026 XSS that doesn't make any impact\n- Host header and banner grabbing issues\n- Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.,\n- Missing HTTP security headers and cookie flags on insensitive cookies\n- Rate limiting, brute force attack\n- Login/logout CSRF\n- Session related issues\n- Email Spoofing\n- Unrestricted file upload\n- Open redirections\n- Formula/CSV Injection\n- Broken Link Highjacking\n- Vulnerabilities that require physical access to the victim machine.\n- User enumeration such as User email, User ID, etc.,\n- Phishing / Spam (including issues related to SPF/DKIM/DMARC) Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities found in third-party services\n- EXIF data not stripped on images\n- Any activity that could lead to the disruption of our service (DoS)\n- Able to retrieve user's public information\n- Tabnabbing\n- CSP Weaknesses\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Information Exposure from Public Sources\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Password Token Not Expired / Password Token Leaking to 3rd party Sites\n- No password length or Long Password Upon Sign-up / Password Re-Use\n- Concurrent Sessions / Number of  Parallel Sessions\n- Best practices concerns\n- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls\n- Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation\n- Dangling IPs\n- Clickjacking \n- Subdomain takeovers \n- Any Zero Day vulnerabilities disclosed within the last 30 days.\n- Vulnerabilities identified in Freshworks Acquired Products / Services\n- Reports on third-party products, services, or applications not owned by Freshworks\n- **All Mobile Apps (Android and iOS) related vulnerabilities are explicitly out-of-scope**.\n\n\n\n## Any findings that do not show an impact to the user or product will not be accepted.\nWe will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different product will be considered as one vulnerability.\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Freshworks.\n\n# Reward Assessment Guidelines\n\nThere may be some situations that arise for which no bounty or a minimum bonus will be awarded. Here are a few of the most common examples:\n\n**1.Same vulnerability, on different paths or hosts:**\n\nIf you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. However, if you subsequently identify the same vulnerability on a different path/host on a new report submission, such reports will be treated as a duplicate. \n\n**2.Same Payload/Issue, Different Parameter / Functionality**\nFor example, multiple reports of the same vulnerability across different parameters of a resource/ functionality, or demonstrations of multiple attack vectors against a single feature/functionality will be treated as duplicated. We kindly ask you to consolidate reports rather than separate them.\n\n# In Scope\n\n- [Yourdomain].freshdesk.com\n- [yourdomain].freshservice.com  \nNote: Orchestration Center module in Freshservice is out of scope.\n- [Yourdomain].freshchat.com\n- [Yourdomain].freshcaller.com\n- [Yourdomain].myfreshworks.com/crm/\n\n\n**If you are unsure about a domain, email us at \"bughunt[at] freshworks.com\" before spending time on it. Any findings apart from the specified scope will be considered as a non-qualifying bug.**\n\n\n# Test Plan / Accounts\n\nTo participate in our program, you must \n* Create a trial account using your Hackerone email alias\n\u003chackerone-username\u003e@wearehackerone.com\n\n# Go to the below links below to start a free trial for Freshworks Suite of Products\n- Freshdesk Omnichannel Suite - https://freshdesk.com/omnichannel-signup \n- Freshdesk Support Desk - https://freshdesk.com/signup\n- Freshdesk Contact Center - https://www.freshworks.com/freshcaller-cloud-pbx/signup/ \n- Freshchat - https://www.freshworks.com/live-chat-software/signup/\n- Freshservice - https://freshservice.com/signup \n- Freshsales Suite - https://www.freshworks.com/crm/signup/?plan_id=suite \n- Freshsales - https://www.freshworks.com/crm/signup \n- Freshmarketer - https://www.freshworks.com/crm/marketing/signup/ \n\n# Our Business Suites Overview:\nThis section describes Product Suites and information about respective user roles. Vulnerabilities related to Access Control will be treated based on this behaviour and issues affecting \"Cross Accounts / Organization\" will be our precedence.\n\n**Customer Service Products - Freshdesk / Freschat / Freshcaller **\n\nUsers of these suites are classified as _Requestors_ and _Agents_, where _Requestors_ are public users and _Agents_ are Support executives/employees of an organization. \n\nVulnerabilities affecting  Agent users from a requestor viewpoint will be considered Impactful compared to the ones involving Agents within.\n\n**IT Service Products - Freshservice\nCRM Products - Freshsales / Freshmarketer**\n\nThese products are classified as an _Internal_ application within the organisation. Hence, this product's Users are likely to be considered  Employees of an organization. So successful exploitation of any vulnerability requires an attacker to be part of the organisation / internal system.\n\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Freshworks and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-12T10:41:55.039Z"}]