BUG BOUNTY POLICY

Capitalised terms used in this Bug Bounty Policy and not otherwise defined have the meaning ascribed to such terms in our Master Subscription Agreement.

Zendesk aims to keep its Service safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Service, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details.

Zendesk will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. We won’t take legal action against, suspend, or terminate access to the Service of those who discover and report security vulnerabilities responsibly. Zendesk reserves all of its legal rights in the event of any noncompliance.

Reporting

Share the details of any suspected vulnerabilities with the Zendesk Security Team by filing a report. Please do not publicly disclose these details outside of this process without explicit permission. In reporting any suspected vulnerabilities, please include the following information:

• Vulnerable URL - the endpoint where the vulnerability occurs;

• Vulnerable Parameter - if applicable, the parameter where the vulnerability occurs;

• Vulnerability Type - the type of the vulnerability;

• Steps to Reproduce - step-by-step information on how to reproduce the issue

• Screenshots or Video - a demonstration of the attack; and

• Attack Scenario - an example attack scenario may help demonstrate the risk and get your issue resolved faster.

Reports should only reference accounts owned by the researcher. Researchers can sign up for a trial account (See Sign Up Process below). Reports that carry an acceptable risk but demonstrate a valid security-related behaviour will be closed as informative. Submissions that don’t present a security risk, are false positives, or are out of scope will be closed as N/A. (Please note that the scope is outlined below.)

Identical reports will be marked as “Duplicate[s]” of the original submission; the original report can be marked as (but not limited) to “Triaged”, “N/A”, or “Informative.”

More information on a proper submission, report states, and acceptable reporting behaviour, can be found on linked HackerOne’s articles.

Sign Up Process

To sign up for a Zendesk Trial Account for HackerOne purposes, please use your HackerOne details. E.g.

• Step 1/3 - Work Email - please use <hackerone-username>@wearehackerone.com

• Step 2/3 - First name, Last name and Phone number

• Step 3/3 - Company name - please use h1-<hackerone-username>-nn

• where nn is an integer that can be used to create new accounts if you need to do more testing past the trial expiry period.

• This would create the trial account as h1-<hackerone-username>-01.zendesk.com

All research must be conducted using your own Zendesk instance which you can sign up for here.

Testing Exclusion

In no event are you permitted to access, download or modify data residing in any other Account, or one that is not registered to you. We will not honour any issues which result from testing our customers.

You are also prohibited from:

• Attempting to social engineer Zendesk staff.

• Attempting to contact Zendesk staff via our Support or Help centre without identifying yourself as a security researcher. All communication with Zendesk should ideally be done via the HackerOne platform.

• Attempting to upgrade your trial account to subscription without payment

• Executing or attempting to execute any Denial of Service attack.

• Knowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.

• Testing in a manner that would result in the sending of unsolicited or unauthorised junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages.

• Testing third party applications or websites or services that integrate with or link to the Service.

• Attempting to rename a trial or paid account to another domain

Bounty Ineligible Issues

The following items are known issues or accepted risks where we will not reward you:

• Clickjacking.

• Cookie flags.

• SPF, DKIM, DMARC issues.

• Malicious attachments on file uploads or attachments.

• Missing additional security controls, such as HSTS or CSP headers.

• Mobile issues that require a Rooted or Jailbroken device.

• Brute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.

• XSS (or a behaviour) where you can only attack yourself (e.g. "Self XSS").

• XSS on pages where admins are intentionally given full HTML editing capabilities, such as custom theme editing

• EXIF information on images

Bounties

We are pleased to offer a bounty for vulnerability information that helps us protect our customers as a thanks to the security researchers who choose to participate in our bug bounty program. Zendesk will decide the bounty amounts at our sole discretion, and all decisions are final.

We will reward you for the following types of vulnerabilities (except where noted otherwise in our Testing Exclusions and bounty ineligible section):

| Severity | Estimated Bounty | Example Issues |

|----------|------------------|----------------|

| Critical | $5,000 | Remote Code Execution, SQL Injection |

| High | $2,000 | Significant Broken Authentication or Session Management, Stored XSS by Agents/End-users, CSRF and Privilege Escalation on critical functionality, etc. |

| Medium | $750 | Access Control Bypass, Privilege Escalation, Reflective XSS, Stored XSS by Admins, CSRF, Open URL Redirection, Directory Traversal, etc.

| Low | $250 | Information Leakage, Incorrect API access controls, subdomain takeovers of in-scope domains etc. |

We will only reward the first reporter of a valid vulnerability who demonstrates the issue using their own account. Duplicate reports will not be rewarded.

You are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the US Sanction Lists, are ineligible for rewards.

Our Commitment

If you identify a verified security vulnerability in compliance with this Bug Bounty Policy, Zendesk commits to:

• Acknowledge receipt of your vulnerability report in a timely manner;

• Notify you when the vulnerability is fixed; and

• Publicly thank you for your responsible disclosure and helping us keep our customers safe.

Scope

You may only test against a Zendesk for which you are the Account Owner or an Agent authorised by the Account Owner to conduct such testing.

If you have tested on a customer instance that you are authorised to do so and find a vulnerability, please recreate the vulnerability on your own test instance.

• h1-[your-zendesk-subdomain].zendesk.com

• Zendesk mobile applications

• Zendesk Mobile SDK on iOS and Android

Zendesk Sell

You may only test against a Zendesk Sell Account for which you are the Account Owner. You are not authorised to test against any Zendesk customers. You can sign up for a free trial account here. Please refer to the (Sign Up Process above)

• app.futuresimple.com

• Zendesk Sell for iOS Link

• Zendesk Sell for Android Link

Be sure to also check out Zendesk feature removal