Privacy and Security:
Responsible Disclosure of Security Vulnerabilities
FreshBooks is committed to the privacy, safety and security of our customers.
FreshBooks aims to keep its service safe for everyone, and data security is of the utmost priority. If you are a security researcher and have discovered a security vulnerability in our product, website, or service, we appreciate your help in disclosing it to us in a responsible manner.
If you are a current customer
If you feel your account may have been compromised, or if you suspect fraudulent behavior, do not hesitate to contact our support team. Your issue will be investigated immediately and thoroughly.
If you are a security researcher or have discovered a vulnerability
Reporting Issues
If you think you’ve found a security vulnerability in FreshBooks, contact us immediately via security@freshbooks.com (PGP Key).
PGP Key ID: 0x1D3189FA
PGP Fingerprint: F95D 04F1 1B91 6B90 F4E5 BB6B B7A0 DA75 1D31 89FA
Please read the policy and program rules before reporting anything.
Policy
We will investigate all legitimate reports and make every effort to quickly correct any vulnerability. We ask in return that you:
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
- Do not modify or access data that does not belong to you
- Give FreshBooks a reasonable time to correct the issue before making any information public
- FreshBooks does not reward for security issues
Program Rules
- When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other end users or FreshBooks employee may be disqualified. It’s also good practice to tell us the accounts you are using for testing even when they are under your control.
- Do not run automated scans without checking with us first.
- Do not test the physical security of FreshBooks offices, employees, equipment, etc.
- Do not test using social engineering techniques (phishing, spear-phishing, pretexting, etc.)
- Do not perform DoS or DDoS attacks. You are welcome and encouraged to look for vulnerabilities that can be leveraged for DoS or DDoS attacks, we just don’t want you actually exploiting the issue outside of a tightly controlled environment.
- Do not, in any way, attack our end users or engage in the trade of stolen user credentials.
- Only the first reporter is eligible for getting into our Hall of Fame
In Scope & Out of Scope Targets
All parts of our applications and services available to customers are in scope and are our primary interest.
Please have a look below for in scope targets.
Note: Please do check whois record before you submit any issues on domains found from Subdomain Scanners.
FreshBooks uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. The following third-party systems are excluded:
- Direct attacks against any part of Google’s infrastructure
- Plaid
- Yodlee
- PayPal
- WePay
- Zendesk
- AWS
- Fastly
Non-qualifying Vulnerabilities
Low severity, purely theoretical and best-practice issues do not qualify for submission. Here are some examples:
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Theoretical sub-domain takeovers with no supporting evidence
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Information leakage, fingerprinting / banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking on a public page and issues only exploitable through clickjacking
- CSRF on forms that are available to anonymous users (e.g. the contact form)
- Logout Cross-Site Request Forgery (logout CSRF)
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies
- Weak Captcha / Captcha Bypass
- Forgot Password page brute force and account lockout not enforced
- OPTIONS HTTP method enabled
- Reflected file downloads
- Missing Cache-control
- Host Header Attack
- Directory Listing
- Missing HTTP security headers, (specifically OWASP list of useful HTTP headers)
- SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)
- Not performing rate limiting on non-login endpoints
- Content spoofing
- HPKP / HSTS preloading
- Generic examples of Host header attacks without evidence of the ability to target a remote victim
- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
- SPF, DKIM, or DMARC settings & Email Spoofing
- Mixed Content Scripting & Self XSS
- EXIF Geolocation data
- Open WordPress JSON API without an exploit
- Password Reset token leakage (This is known and we will implement a fix)
- Password policy
In Scope
Domain | https://my.freshbooks.com | Critical |
---|---|---|
Domain | https://www.freshbooks.com | High |
API | https://api.freshbooks.com | Critical |
Hall of Fame
FreshBooks thanks the following Internet Security Superstars for their vigilance keeping the online world a safer place:
- Neil Anderson
- [J Gamble]
- Shubham Gupta
- Madhu Akula
- Apoorv Joshi @apo143u
- Vinay Jagtap
- Kiran Karnad
- Nitin Goplani, AirWatch by VMware
- Koutrouss Naddara
- Sriram (Sri H@xor!)
- Mohammed Fayez Albanna
- Osman Surkatty
- Mohamed Abdelbaset Elnoby
- Mohammad Naveed
- Shahmeer Amir
- Indrajith.AN
- Roberto Zanga
- Pradeep Kumar
- Siddharth Sharma
- Jay Patel
- Sumit Sahoo
- Muhammad Zeeshan
- Vikas khanna, hackerDesk
- Gurjant Singh Sadhra, hackerDesk
- Ali Tabish
- Arbin Godar
- Joel Melegritom
- Akash Saxena
- Jubaer Al Nazi
- Mehmet Nurcan
- Kenan GÜMÜŞ
- Noman Shaikh
- Mansoor Gilal
- Mohammed Kaja Nawaz L J
- Ajay Kulal
- Saheen Shoukat
- Amal Jacob
- Mounikesh
- Chacko K Abraham
- Somdev Sangwan
- Md. Sabuktagin
- Kapil Soni (Haxinos) from Xowia Technologies
- Mehul Patil
- Pethuraj M
- Chintan
- Saif Ali
- Birju Barot
- Abdul Haq Khokhar
- Sanket Dave
- Suru Santhosh
- Pradipta Das
- Abhijeet Sarkar
- Shubham Garg
- Sahil Mehra
- Dhruva Ghai
- Shekhar Sarvaiya
- Ashu Kambojz
- Prafull Pansare
- Bijan Murmu
- Stas Kravchenko
- Vismit Sudhir Rakhecha(Druk)
- Ninad Mathpati
- Shivam Kamboj Dattana
- Mohammed Ilyaz
- Amit Kumar
- Aditya Arora
- Pritesh Narendrabhai Mistry
- Sumit Jain
- Manish Kumar Pathak
- Karthikeyan Subramaniyan
- Hritik Sharma
- Nicolas Goralski
- Sameer Phad
- Chetan R Tiwari
- Parag Gupta
- Abdelhak Kherroubi
- Nitin Bangera
- Rahul Sharma, BreachLock Inc.
- Prince
- Harsh Joshi
- Vlad Zuev, Minsk
- Shuvo Ahmed
- Avnish Kumar
- Prasad Panchbhai
- Ratnadip Gajbhiye
- Eric Finlay – @InfoSecP4nda
- Naveen Kumar
- Karthikeyan T
- Vishwash Chavda
- Samprit Das
- Akash.r.b