[{"id":3755507,"new_policy":"# Instructions for creating a HubSpot trial portal:\n- Anyone may create a trial portal by navigating to: https://offers.hubspot.com/free-trial. When signing up, please use your @WEAREHACKERONE.COM email address.\n- All available functionality may be tested with the exception of email sends to email addresses you do not own. Please note, sending phishing attacks or spam from a portal will be grounds for permanent disqualification.\n- With a trial account, it is possible to create an API key to send API requests. Follow [these instructions](https://developers.hubspot.com/docs/guides/apps/authentication/intro-to-auth) for creating an API key. API requests should fall within these [API usage guidelines](https://developers.hubspot.com/docs/guides/apps/api-usage/usage-details).\n- Information about HubSpot APIs, including example requests, is available at: https://developers.hubspot.com/docs/api/overview\n\n## Beta Features:\nWe encourage researchers to test and submit any bugs or vulnerabilities you may identify within beta features. To learn more about opting your account into beta features, check out our KB reference [here](https://knowledge.hubspot.com/account-management/opt-your-hubspot-account-into-a-public-beta-feature).\n\n---\n# Special Reward and Bonus (CTF Challenge)\nWe created a portal with 1 contact record in the CRM. The record has 2 properties (`firstname` and a custom sensitive property called `super_secret`) that contain flags you need to obtain for this capture the flag challenge. Your task is to find permission-related vulnerabilities to bypass access controls (without any social engineering, user interaction, or brute-forcing) and read the `firstname` flag for a $15,000 USD special reward. Optionally, you may attempt to obtain the second `super_secret` flag for an additional $5,000 USD bonus, for a total of $20,000 USD potential reward.\n\nThe target domain for this challenge is `app.hubspot.com` and the target portal ID is `46962361`. **DO NOT attempt to access other portals you don’t own.** In order to be awarded the bounty, you must:\n1. Provide the property name and value of the flag(s) obtained. For example: firstname = \u003ccontact’s first name\u003e, super_secret = \u003ccontact’s super secret info\u003e\n2. Provide detailed reproduction steps so we can successfully validate the finding.\n3. Email your submission ID to the email address specified in the contact record’s `email` property with the subject `HubSpot CTF Challenge`.\n\nThe first valid submission will be awarded the special reward. At that time, the CTF challenge will be paused while we remediate the finding and improve our defenses. Once done, we will modify the flags, make an announcement that we’re resuming the challenge, and update our bounty brief to indicate that the CTF is open again.\n\n**_The standard HubSpot bug bounty program rules apply. Please take the time to read the entire bounty brief before attempting this challenge._**\n**_HubSpot reserves the right to stop the CTF challenge, special reward, and bonus at any time without prior notice and reason._**\n\n---\n\n# Focus Areas\n## Authentication flows\nWe highly encourage researchers to test various authentication flows including but not limited to:\n- Signup (with email, Google, Apple, Microsoft)\n- Login (with email, SSO, Google, Apple, Microsoft)\n- MFA\n- Account recovery / password reset\n- OAuth\n\nResearchers should approach these areas with a creative and critical mindset, exploring potential vulnerabilities that may lead to user account takeover and/or unauthorized access of data. Our goal is to ensure that our authentication mechanisms not only comply with industry standards but also demonstrate strong resilience against emerging threats and sophisticated attack techniques.\n\n## High impact findings\nOverall, we are most interested in critical vulnerabilities that allow access to customer CRM records and sensitive (PHI and PII) data, HubSpot’s corporate data, and our internal network. We highly encourage researchers to look for:\n- Vulnerabilities (like cross-site scripting) that may lead to user account takeover\n- Cross-portal data leakage and access; i.e. if you are authenticated and authorized to access portal A, you should not be able to read/modify data in portal B, unless you have also been authorized to that portal\n- Server-side code execution vulnerabilities\n- Sensitive data exposure\n\n# Ratings and Rewards\nFor the initial prioritization/rating of findings, this program will use the [the Common Vulnerability Scoring System (CVSS)](https://www.hackerone.com/vulnerability-management/what-common-vulnerability-scoring-system-cvss). However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood and impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher.\n\nTo maximize your reward and minimize the payout time frame, please make sure to include the following in your report:\n- An attack scenario: Provides context and demonstrates how the vulnerability can be exploited in real-world conditions.\n- Clear reproduction steps: Helps ensure that the vulnerability can be consistently and reliably demonstrated.\n- Recommended fix: Speeds up the mitigation process and reduces the time that the system remains exposed. Providing a practical solution also showcases the researcher’s understanding of the issue which enhances the credibility of the report.\n\n---\n# Important Notice:\nParticipating community members agree that they have appropriate rights for HubSpot to use Community Member Data as contemplated in this Program Policy and such use of Community Member Data by HubSpot will not infringe, misappropriate, or violate a third party's intellectual property rights, or rights of publicity or privacy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-13T16:52:20.731Z"}]