submit bug report: https://bugcrowd.com/hubspotSecurity researchers are increasingly interacting with software companies in order to find and fix the myriad of potential security issues that may arise in any sufficiently complex infrastructure. HubSpot takes those issues seriously, and appreciates the work of the white hat community in responsibly reporting any findings. We are running this bounty program in order to get a better understanding of our own security posture, and to give a deserved tip of the hat to the research community.
Scope and rewards
In Scope Targets
In scope
Payment reward chart
P1
$5000
P2
$900
P3
$200
P4
$50
In Scope Domains:
In addition to the targets below, HubSpot Marketing and CMS customers often host content on the HubSpot platform. Customer domains will be CNAME'd to a subdomain like:
groupXX.sites.hscoscdnYY.net, where XX and YY are the numeric identifiers for the content path.
Vulnerabilities thought to be introduced by HubSpot's hosting platform and therefore may affect multiple HubSpot customers are in-scope for this program. Please report those here. It is possible that a customer has introduced the vulnerability (e.g., XSS, etc); we will investigate and respond to those reports.
*.hubapi.com
API Testing
Cloudflare CDN
*.hubspot.com
Java
Cloudflare CDN
ReactJS
+1
*.hubspot.net
Cloudflare CDN
jQuery
*.hs-sites.com
Website Testing
*.hubspotemail.net
HubSpot Mobile Application: Android
Java
Android
Mobile Application Testing
+1
HubSpot Mobile Application: iOS
Objective-C
SwiftUI
Swift
+2
Out of Scope Domains
Out of scope
*.getsidekick.com
*.inbound.org
blog.hubspot.com
shop.hubspot.com
surveys.success.hubspot.com
integrate.hubspot.com
ux.hubspot.com
ink1001.hubspot.com
Disclaimer
HubSpot reserves the right to ask the researcher to provide further clarification or a proof of concept exploit, before awarding any bounty. A reported vulnerability must clearly demonstrate the risk to the infrastructure or its users in order to receive a bounty.
Publicly Exposed API Keys and Passwords
If you find any sensitive information (e.g API keys, passwords), do not attempt to validate them; simply report them directly to HubSpot and we may offer discretionary rewards in these cases.
Focus Areas
Cross-site scripting (XSS)
Authentication or authorization flaws
Server-side code execution bugs
Sensitive data exposure
Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
The Ground Rules
Do not attempt to gain access to another user’s account or data.
Do not perform any attack that could harm the reliability/integrity of our services or data.
Do not publicly disclose a bug before it has been fixed.
Only test for vulnerabilities on sites you know to be operated by HubSpot. Excluded subdomains, e.g. shop.hubspot.com, should not be tested.
Do not impact other users with your testing, this includes testing for vulnerabilities in portals you do not own.
Automated scanners or automated tools to find vulnerabilities are forbidden and will be blocked.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Ensure any portal that you're using for testing includes a user with your "@bugcrowdninja.com" email address.
Our Commitment To You
We will respond as quickly as possible to your submission.
We will keep you updated as we work to fix the bug you submitted.
We will not take legal action against you if you play by the rules.
The following finding types are specifically excluded from the bounty:
Reports related to the rate limits applied to an API endpoint
Perceived excessive volumes of sent email (e.g., mail flooding).
Login or Forgot Password page brute force and account lockout not enforced.
Submissions related to researcher-created content presented on preview domains, user content domains, or file manager content unless accompanied by a real-world impact to HubSpot users. The HubSpot platform is designed to allow users to create HTML, Javascript, etc and should safely handle the content by presenting it on subdomains that are fully distinct from *.hubspot.com. For instance, if an authorized user can create HTML in a part of the HubSpot platform that is designed to allow users to safely create and view HTML (e.g. hs-sites.com, hubspotpagebuilder.com, hubspotpreview-na1.com, cdn2.hubspot.net, and similar (sub)domains) then that is expected behavior. However, if it's possible to execute Javascript in the context of *.hubspot.com or if it's possible for a website visitor (i.e., unauthenticated user) to trigger XSS on a website hosted on HubSpot, then we welcome those reports.
IDOR Vulnerabilities:
Due to HubSpot’s microservices architecture, it is not uncommon for researchers to come across IDOR vulnerabilities. When testing for IDORs, please make sure to only grant the low-privileged user permissions that affect the specific object or feature being tested. Over-permissioning may cause false positive results (e.g. testing IDORs within CRM - Tickets but also granting Deals, Contacts, Communicate, Blogs, or any other unnecessary permissions). Please note that there are endpoints within the HubSpot application that require one of multiple scopes to access. For instance, /endpoint may require any of [scope-1, scope-2, scope-3] so over-permissioning may cause you to observe intended behavior which could result in a “Not Applicable” submission status. In other cases, IDOR submissions that are non-exploitable, by design, or deemed acceptable risk to HubSpot may be marked as a P5 - Informational (e.g. an endpoint revealing a private report’s metadata (e.g. the report title) that doesn't contain any sensitive info but NOT the report data itself). Ultimately, IDOR findings must have a demonstrable impact on our users, their data, or their company reputation to be eligible for bounty rewards.
Instructions for creating a HubSpot trial portal
Anyone may create a trial portal by navigating to:
http://offers.hubspot.com/free-trial. When signing up, use your @bugcrowdninja.com email address.
All available functionality may be tested with the exception of email sends to email addresses you do not own. As noted above, sending phishing attacks or spam from a portal will be grounds for permanent disqualification.
With a trial account, it is also possible to create an API key to send API requests. API requests should fall within the developers' guidelines:
https://developers.hubspot.com/apps/api_guidelines. To create an API key:
click on the circular avatar image in the upper right corner
select "Integrations"
click on "Get your HubSpot API key"
click the "Generate New Key" button
Information about HubSpot APIs, including example requests, is available at: developers.hubspot.com
