× FreshBooks App Logo
FreshBooks
Official App
Free - Google Play
Get it
You're currently on our US site. Select your regional site here:

Privacy and Security:

Responsible Disclosure of Security Vulnerabilities

FreshBooks is committed to the privacy, safety and security of our customers.

FreshBooks aims to keep its service safe for everyone, and data security is of the utmost priority. If you are a security researcher and have discovered a security vulnerability in our product, website, or service, we appreciate your help in disclosing it to us in a responsible manner.

If you are a current customer

If you feel your account may have been compromised, or if you suspect fraudulent behavior, do not hesitate to contact our support team. Your issue will be investigated immediately and thoroughly.

If you are a security researcher or have discovered a vulnerability

Reporting Issues

If you think you’ve found a security vulnerability in FreshBooks, contact us immediately via security@freshbooks.com 

Please read the policy and program rules before reporting anything.

Policy

We will investigate all legitimate reports and make every effort to quickly correct any vulnerability. We ask in return that you:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Do not modify or access data that does not belong to you
  • Give FreshBooks a reasonable time to correct the issue before making any information public
  • FreshBooks does not reward for security issues

Program Rules

  • When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other end users or FreshBooks employee may be disqualified. It’s also good practice to tell us the accounts you are using for testing even when they are under your control.
  • Do not run automated scans without checking with us first.
  • Do not test the physical security of FreshBooks offices, employees, equipment, etc.
  • Do not test using social engineering techniques (phishing, spear-phishing, pretexting, etc.)
  • Do not perform DoS or DDoS attacks. You are welcome and encouraged to look for vulnerabilities that can be leveraged for DoS or DDoS attacks, we just don’t want you actually exploiting the issue outside of a tightly controlled environment.
  • Do not, in any way, attack our end users or engage in the trade of stolen user credentials.
  • Only the first reporter is eligible for getting into our Hall of Fame

In Scope & Out of Scope Targets

All parts of our applications and services available to customers are in scope and are our primary interest.

Please have a look below for in scope targets.

Note: Please do check whois record before you submit any issues on domains found from Subdomain Scanners.

FreshBooks uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward.

In Scope

Domainhttps://my.freshbooks.comCritical
Domainhttps://www.staging.freshenv.comHigh
APIhttps://api.freshbooks.comCritical

Hall of Fame

FreshBooks thanks the following Internet Security Superstars for their vigilance keeping the online world a safer place:

Terms of Service, Privacy and Security