Due to recent changes in the security policy within Xero we’ve decided to put a hold on our bug bounty program on HackerOne. At this time if you do have any security bugs to report, or questions about security at Xero, please submit them via email to email@example.com
We thank all the researchers that have submitted findings for their dedication and hard work, we’ve received many excellent submissions and wish all researchers the best of luck in their future endeavours.
If you have any questions or concerns, please email firstname.lastname@example.org
Xero Product Security Team
Thank you for your interest in Xero's coordinated disclosure programme. If you have found a vulnerability in Xero or plan to look for one, please follow the guidelines on this page.
Xero supports the efforts of the internet community to make the online world a safer place for everyone. We have worked with the NZITF __in New Zealand and endorse the spirit and content of their Coordinated Disclosure Guidelines __(PDF), which is a good read for both researchers and other organisations looking to implement their own programmes.
Coordinated / Responsible disclosure is based on four main basic principles:
We guarantee that if a research discloses issues to us in a responsible manner, following the guidelines on this page, then we won't proceed with any legal action.
If you are researching security issues, please use test accounts that you sign up and control, and limit your testing to those accounts and organisations which are under your control. This is to respect the privacy of our other users.
Information on how to create demo and trial organisations for test purposes is available on the Xero Developer Center __
We are happy to list your name on our Hall of Fame under the following conditions:
We are unable to provide monetary or non-monetary rewards.
Please use the lists below as a guide for the scope of the program. You may report issues outside the defined scope, but it is unlikely these reports will be recognised in our Hall of Fame.
Possible issues include but are not limited to:
We are particularly interested in issues related to the following sites:
We are also interested in vulnerabilities in the following applications:
Please refrain from accessing private information (use test accounts instead), performing actions that may negatively affect Xero users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our white hat program:
Permission is required from the Xero Security Team before using automated tools or scans, performing brute force attacks, or denial of service. Any attacks which affect other users or infrastructure will be outside these guidelines.
To start a conversation with the Xero Security Team, or to contact us for any other reason, please use the "Submit Report" button on this page. We will aim to respond within two working days (hopefully sooner!), and will then discuss any timelines for further responses with you.