Privacy and Security:
Responsible Disclosure of Security Vulnerabilities
FreshBooks is committed to the privacy, safety and security of our customers.
FreshBooks aims to keep its service safe for everyone, and data security is of the utmost priority. If you are a security researcher and have discovered a security vulnerability in our product, website, or service, we appreciate your help in disclosing it to us in a responsible manner.
If you are a current customer
If you feel your account may have been compromised, or if you suspect fraudulent behavior, do not hesitate to contact our support team. Your issue will be investigated immediately and thoroughly.
If you are a security researcher or have discovered a vulnerability
Reporting Issues
If you think you’ve found a security vulnerability in FreshBooks, contact us immediately via security@freshbooks.com
Please read the policy and program rules before reporting anything.
Policy
We will investigate all legitimate reports and make every effort to quickly correct any vulnerability. We ask in return that you:
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
- Do not modify or access data that does not belong to you
- Give FreshBooks a reasonable time to correct the issue before making any information public
- FreshBooks does not reward for security issues
Program Rules
- When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other end users or FreshBooks employee may be disqualified. It’s also good practice to tell us the accounts you are using for testing even when they are under your control.
- Do not run automated scans without checking with us first.
- Do not test the physical security of FreshBooks offices, employees, equipment, etc.
- Do not test using social engineering techniques (phishing, spear-phishing, pretexting, etc.)
- Do not perform DoS or DDoS attacks. You are welcome and encouraged to look for vulnerabilities that can be leveraged for DoS or DDoS attacks, we just don’t want you actually exploiting the issue outside of a tightly controlled environment.
- Do not, in any way, attack our end users or engage in the trade of stolen user credentials.
- Only the first reporter is eligible for getting into our Hall of Fame
In Scope & Out of Scope Targets
All parts of our applications and services available to customers are in scope and are our primary interest.
Please have a look below for in scope targets.
Note: Please do check whois record before you submit any issues on domains found from Subdomain Scanners.
FreshBooks uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward.
In Scope
Domain | https://my.freshbooks.com | Critical |
---|---|---|
Domain | https://www.staging.freshenv.com | High |
API | https://api.freshbooks.com | Critical |
Hall of Fame
FreshBooks thanks the following Internet Security Superstars for their vigilance keeping the online world a safer place:
- Neil Anderson
- [J Gamble]
- Shubham Gupta
- Madhu Akula
- Apoorv Joshi @apo143u
- Vinay Jagtap
- Kiran Karnad
- Nitin Goplani, AirWatch by VMware
- Koutrouss Naddara
- Sriram (Sri H@xor!)
- Mohammed Fayez Albanna
- Osman Surkatty
- Mohamed Abdelbaset Elnoby
- Mohammad Naveed
- Shahmeer Amir
- Indrajith.AN
- Roberto Zanga
- Pradeep Kumar
- Siddharth Sharma
- Jay Patel
- Sumit Sahoo
- Muhammad Zeeshan
- Vikas khanna, hackerDesk
- Gurjant Singh Sadhra, hackerDesk
- Ali Tabish
- Arbin Godar
- Joel Melegritom
- Akash Saxena
- Jubaer Al Nazi
- Mehmet Nurcan
- Kenan GÜMÜŞ
- Noman Shaikh
- Mansoor Gilal
- Mohammed Kaja Nawaz L J
- Ajay Kulal
- Saheen Shoukat
- Amal Jacob
- Mounikesh
- Chacko K Abraham
- Somdev Sangwan
- Md. Sabuktagin
- Kapil Soni (Haxinos) from Xowia Technologies
- Mehul Patil
- Pethuraj M
- Chintan
- Saif Ali
- Birju Barot
- Abdul Haq Khokhar
- Sanket Dave
- Suru Santhosh
- Pradipta Das
- Abhijeet Sarkar
- Shubham Garg
- Sahil Mehra
- Dhruva Ghai
- Shekhar Sarvaiya
- Ashu Kambojz
- Prafull Pansare
- Bijan Murmu
- Stas Kravchenko
- Vismit Sudhir Rakhecha(Druk)
- Ninad Mathpati
- Shivam Kamboj Dattana
- Mohammed Ilyaz
- Amit Kumar
- Aditya Arora
- Pritesh Narendrabhai Mistry
- Sumit Jain
- Manish Kumar Pathak
- Karthikeyan Subramaniyan
- Hritik Sharma
- Nicolas Goralski
- Sameer Phad
- Chetan R Tiwari
- Parag Gupta
- Abdelhak Kherroubi
- Nitin Bangera
- Rahul Sharma, BreachLock Inc.
- Prince
- Harsh Joshi
- Vlad Zuev, Minsk
- Shuvo Ahmed
- Avnish Kumar
- Prasad Panchbhai
- Ratnadip Gajbhiye
- Eric Finlay – @InfoSecP4nda
- Naveen Kumar
- Karthikeyan T
- Vishwash Chavda
- Samprit Das
- Akash.r.b