We are currently not accepting reports via HackerOne

Due to recent changes in the security policy within Xero we’ve decided to put a hold on our bug bounty program on HackerOne. At this time if you do have any security bugs to report, or questions about security at Xero, please submit them via email to support@xero.com

We thank all the researchers that have submitted findings for their dedication and hard work, we’ve received many excellent submissions and wish all researchers the best of luck in their future endeavours.

If you have any questions or concerns, please email support@xero.com

Thanks
Xero Product Security Team

Securing your data is very important to us

Thank you for your interest in Xero's coordinated disclosure programme. If you have found a vulnerability in Xero or plan to look for one, please follow the guidelines on this page.

Coordinated Disclosure

Xero supports the efforts of the internet community to make the online world a safer place for everyone. We have worked with the NZITF __in New Zealand and endorse the spirit and content of their Coordinated Disclosure Guidelines __(PDF), which is a good read for both researchers and other organisations looking to implement their own programmes.

Coordinated / Responsible disclosure is based on four main basic principles:

1. Both parties will act in good faith to identify and fix security vulnerabilities.
2. Both parties will ensure they act within the law.
3. Finders should be able to come to owners directly without relying on a third party without fear of vexatious legal action.
4. The vulnerability, and the fact that the finder found it, will ordinarily be made public at the end of the process.

We guarantee that if a research discloses issues to us in a responsible manner, following the guidelines on this page, then we won't proceed with any legal action.

Test accounts and trial organisations

If you are researching security issues, please use test accounts that you sign up and control, and limit your testing to those accounts and organisations which are under your control. This is to respect the privacy of our other users.

Information on how to create demo and trial organisations for test purposes is available on the Xero Developer Center __

Eligibility and coordinated disclosure

We are happy to list your name on our Hall of Fame under the following conditions:

• You are the first person to report a particular issue to us
• You agree to work with us to disclose the issue according to these guidelines
• There is no public disclosure of the issue without our consent

We are unable to provide monetary or non-monetary rewards.

Scope of program

Please use the lists below as a guide for the scope of the program. You may report issues outside the defined scope, but it is unlikely these reports will be recognised in our Hall of Fame.

Possible issues include but are not limited to:

• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Remote Code Execution (RCE)
• Unauthorised Access to other organisations data within Xero

We are particularly interested in issues related to the following sites:

• go.xero.com
• my.xero.com
• login.xero.com
• connect.banking.xero.com
• payroll.xero.com

We are also interested in vulnerabilities in the following applications:

• Xero for Android __
• Xero for iOS __

Please refrain from accessing private information (use test accounts instead), performing actions that may negatively affect Xero users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our white hat program:

• Issues related to software or protocols not under Xero's control
• Reports from automated tools or scans
• Social engineering of Xero staff or contractors
• Any physical attempts against property or IT infrastructure belonging to Xero or any of our IT hosting and network service providers
• Attacks requiring physical access to a user's device
• Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
• Login/logout CSRF
• Invalid or missing SPF (Sender Policy Framework) records
• Reports of spam or phishing (see here __for more info)
• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
• Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages

Permission is required from the Xero Security Team before using automated tools or scans, performing brute force attacks, or denial of service. Any attacks which affect other users or infrastructure will be outside these guidelines.

Contact us

To start a conversation with the Xero Security Team, or to contact us for any other reason, please use the "Submit Report" button on this page. We will aim to respond within two working days (hopefully sooner!), and will then discuss any timelines for further responses with you.