Capitalized terms used in this Bug Bounty Policy and not otherwise defined have the meaning ascribed to such terms in our Master Subscription Agreement __.
Zendesk aims to keep its Service safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Service, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details.
Zendesk will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. We won’t take legal action against, suspend, or terminate access to the Service of those who discover and report security vulnerabilities responsibly. Zendesk reserves all of its legal rights in the event of any noncompliance.
Share the details of any suspected vulnerabilities with the Zendesk Security Team by filing a report. Please do not publicly disclose these details outside of this process without explicit permission. In reporting any suspected vulnerabilities, please include the following information:
Reports should only reference accounts owned by the researcher. Researchers can sign up for a trial here __. Reports that carry an acceptable risk but demonstrate a valid security-related behavior will be closed as informative. Submissions that don’t present a security risk, are false positives, or are out of scope will be closed as N/A. (Please note that the scope is outlined below.)
Identical reports will be marked as “Duplicate[s]” of the original submission; the original report can be marked as (but not limited) to “Triaged”, “N/A”, or “Informative.”
In no event are you permitted to access, download or modify data residing in any other Account, or one that is not registered to you. We will not honor any issues which result from testing our customers. All research must be conducted using your own Zendesk instance which you can sign up for here __.
You are also prohibited from:
The following items are known issues or accepted risks where we will not reward you:
We are pleased to offer a bounty for vulnerability information that helps us protect our customers as a thanks to the security researchers who choose to participate in our bug bounty program. Zendesk will decide the bounty amounts at our sole discretion, and all decisions are final.
We will reward you for the following types of vulnerabilities (except where noted otherwise in our Testing Exclusions and bounty ineligible section):
Severity | Estimated Bounty | Example Issues
Critical | $3,000 | Remote Code Execution, SQL Injection
High | $1,000 | Significant Broken Authentication or Session Management, Stored XSS by Agents/End-users, CSRF and Privilege Escalation on critical functionality, etc.
Medium | $500 | Access Control Bypass, Privilege Escalation, Reflective XSS, Stored XSS by Admins, CSRF, Open URL Redirection, Directory Traversal, etc.
Low | $100 | Information Leakage, Incorrect API access controls, etc.
We will only reward the first reporter of a valid vulnerability who demonstrates the issue using their own account. Duplicate reports will not be rewarded.
You are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the US Sanction Lists __, are ineligible for rewards.
If you identify a verified security vulnerability in compliance with this Bug Bounty Policy, Zendesk commits to:
You may only test against a Zendesk or Zendesk Connect Account for which you are the Account Owner or an Agent authorized by the Account Owner to conduct such testing. You are not authorized to test against any Zendesk customers. You can sign up for a free trial account here __.
For Zendesk Connect:
firstname.lastname@example.org/or Hackerone as the company name during registration.
For issues related to other products, please see the following:
|Scope Type||Scope Name|
This program have been found on Hackerone on 2015-07-15.