Freshworks understands that protection of customer data is a significant responsibility and requires the highest priority. We genuinely value the assistance of security researchers and any others in the security community to assist in keeping our systems secure. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users.
Reach out to email@example.com, if you have found any potential vulnerability in our products meeting the criteria mentioned in the policy below.
You can expect an acknowledgment from our security team in about 24 hours of submission.
Freshworks will define the severity of the issue based on the impact and the ease of exploitation.
We may take 3 to 5 days to validate the reported issue.
Actions will be initiated to fix the vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed
When conducting security testing, should not violate our privacy policies, modify/delete unauthenticated user data, disrupt production servers, or to degrade user experience.
Perform research only within the scope set out below;
Use the identified communication channel, viz., firstname.lastname@example.org to report the vulnerability information to us; Documenting or publishing the vulnerability details in public domain is against our responsible disclosure policy; and
Keep information about any vulnerability confidential until the issue is resolved
Please provide the following details on the report
Description and potential impact of the vulnerability;
A detailed description of the steps required to reproduce the vulnerability; and,
Where available, a video POC.
Remote code execution (RCE)
SQL/XXE Injection and command injection
Cross-Site Scripting (XSS)
Server side request forgery (SSRF)
Misconfiguration issues on servers and application
Authentication and Authorization related issues
Cross site request forgeries (CSRF)
Html injection and Self-XSS
Host header and banner grabbing issues
Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.
Missing HTTP security headers and cookie flags on insensitive cookies
Rate limiting, brute force attack
Unrestricted file upload
Denial of Service (DoS)/Distributed/ Denial of Service (DDoS)
Vulnerabilities that require physical access to the victim machine.
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than two stable versions behind the latest released stable version]
User enumeration such as User email, User ID, etc.
Phishing / Spam (including issues related to SPF/DKIM/DMARC)
Vulnerabilities found in third-party services
EXIF data not stripped on images
Freshworks has partnered with HackerOne for the responsible disclosure program. Refer to https://hackerone.com/freshworks for more information about the program. Please report the vulnerabilities in the below scope only via HackerOne.
Any asset/scope apart from the above will not be eligible for bounty payout. The bounty decision is made per freshworks internal policies. The bounty payment will be fulfilled via HackerOne.
While Freshworks does not provide any reward for responsibly disclosing unique vulnerabilities and working with us to remediate them, we would like to publicly convey our deepest gratitude to the security researchers. We will add your name to our Hall of Fame. Your legendary efforts are truly appreciated by Freshworks.
We would like to recognise the efforts of the following individuals for their contribution to our responsible disclosure program. Please accept our sincerest gratitude to every one of you.
Sorry, our deep-dive didn’t help. Please try a different search term.