Responsible Disclosure

Reporting

Please send submissions to security@deskpro.com (click here for our PGP key).

Please review our standard terms before you begin.

Bug Bounty Program

If you are a security expert or researcher, and you believe that you have discovered a security-related issue with Deskpro’s online systems, we appreciate your help in disclosing the issue to us responsibly. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it.

Deskpro awards bounties based on severity and impact based on our own discretion. Here are typical reward values:

Critical: Awards up to $3,000. Examples: Remote Code Execution, SQL Injection
High: Awards up to $1,000. Examples: Significant Broken Authentication or Session Management, High-impact XSS (Stored), CSRF, and Privilege Escalation on critical functionality.
Medium: Awards up to $500. Examples: Access Control Bypass, Privilege Escalation, Low-impact XSS, CSRF, Open URL Redirection, Directory Traversal.
Low: Awards up to $100. Examples: Information Leakage, Incorrect API access controls, etc.

We appreciate all submissions. Even for submissions that don't result in a payout, we are happy to recommend you via a recognized bug bounty or security website, or you can choose to be listed on our hall of fame.

Targets in Scope

Deskpro Product

The Deskpro product itself is available in two forms. You can download and run it on-premise, or we run a SaaS version of it in our cloud. The product is the same in both cases. The Deskpro Product is a help desk application you can run in your browser. It can broadly be split into three pieces:

The public help center. This is a user interface published by an organization for use by their users or customers. For example, KB articles, news, new ticket forms, chat, etc.
The agent interface: This is the main interface where staff members work. For example, answering tickets, taking chats, writing new content, etc.
The admin interface: This is where admins configure the software. For example, enable or disable features, define API keys, add or remove categories, etc.

You can download Deskpro and run it locally for testing: https://www.deskpro.com/on-premise. The source code for Deskpro itself is included in the download if you wish to step through it.

Alternatively, you may sign up for a free hosted trial at https://www.deskpro.com/start

Deskpro Cloud Platform

Our Cloud Platform is the technology behind our hosted/SaaS service we run on AWS. We accept submissions about bugs relating to the infrastructure of our platform such as the servers used to run the product.

The best way to begin researching the platform is to sign up for a demo account from https://www.deskpro.com/start. This will create an instance of the product for you, and you can use that as the basis for your research.

Exclusions

While researching, refrain from:

Denial of Service
Spamming / flooding
Social engineering (including phishing) of Deskpro staff or contractors

Non-qualifying Vulnerabilities

There are some submissions that we can't accept for rewards. These are typically issues that we already are aware of, or issues that we think demonstrate business value that outweighs low-level risk, or low-risk issues that are unlikely to result in a code change.

Here is a list of submissions that we suggest you do not report unless you can demonstrate a high-impact vulnerability. This list is a variation of Bugcrowd's list of common non-qualifying types:

Descriptive error messages.
Information disclosure with minimal security impact (e.g. stack traces, path disclosure, directory listings, logs, robots.txt, etc)
Clickjacking and issues only exploitable through clickjacking that have minimal impact.
CSRF on forms that are available to anonymous users (e.g. the contact form).
CSRF with negligible security impact (e.g. adding to favourites).
Presence of application or web browser 'autocomplete' or 'save password' functionality.
Lack of Secure and HTTPOnly cookie flags.
Lack of Security Speedbump when leaving the site.
Weak or missing captcha / captcha bypass.
SSL Attacks such as BEAST, BREACH, Renegotiation attack; SSL Forward secrecy not enabled; SSL Insecure cipher suites.
Missing HTTP security headers (including Anti-MIME-Sniffing header X-Content-Type-Options) that do not lead to a direct exploitation.
Tab nabbing.
Brute force, Rate-limiting, Velocity throttling, or other denial of service based issues.
XSS where only possible by an administrator. E.g. administrators can modify HTML templates, that is not an example of an XSS vulnerability.
XSS where only possible by agents with the "can use arbitrary HTML" permission.
Self-XSS that has no security impact (e.g. injecting HTML into your own RTE editor).
Reports of third-party libraries without an actual proof-of-concept. E.g. if you are aware of a vulnerable library, then you need to submit a proof-of-concept showing that our use of the library is vulnerable.
Out of Scope: Anything not related to the scope defined by the "Targets" section above. E.g. email spoofing, spf/dmarc/dkim, etc.
Paypal / Price parameter tampering (Paypal payments are handled manually by a member of our staff).
Weak password policy (password policies are controlled by the account administrator, not by us).