Security researchers are increasingly interacting with software companies in order to find and fix the myriad of potential security issues that may arise in any sufficiently complex infrastructure. HubSpot takes those issues seriously, and appreciates the work of the white hat community in responsibly reporting any findings. We are running this bounty program in order to get a better understanding of our own security posture, and to give a deserved tip of the hat to the research community.

Targets

In scope

  • *.inbound.org
  • *.hubspot.net
  • *.getsidekick.com
  • *.hubspot.com
  • *.hubapi.com

Disclaimer
HubSpot reserves the right to ask the researcher to provide further clarification or a proof of concept exploit, before awarding any bounty. A reported vulnerability must clearly demonstrate the risk to the infrastructure or its users in order to receive a bounty.


Domains excluded from the bounty:#

  • blog.hubspot.com
  • shop.hubspot.com
  • ideas.hubspot.com
  • forums.hubspot.com
  • community.hubspot.com
  • surveys.success.hubspot.com
  • integrate.hubspot.com

Rate limiting

The HubSpot products use a WAF and other technologies that alert on or blocks malicious-looking and/or high rate traffic. If your traffic is being denied, stop running high volume scans and wait 24 hours. If your IP is still blocked after 24 hours and if you would like to be unblocked, please contact security<at>hubspot.com with your IP address, the HTTP response codes you received and a description of the test approach you were using when the block began.

Focus Areas

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Sensitive data exposure
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

The Ground Rules

  • Do not attempt to gain access to another user’s account or data (that is to say that you can do cross account testing, but only use accounts you own/control).
  • Use trial portals for all testing purposes. Portals built for production use may not be used for testing.
  • Do not perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
  • Do not publicly disclose a bug before it has been fixed.
  • Only test for vulnerabilities on sites you know to be operated by HubSpot. Excluded subdomains, e.g. shop.hubspot.com, should not be tested.
  • Do not impact other users with your testing, this includes testing for vulnerabilities in portals you do not own.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • When in doubt, email us (security@hubspot.com)

Our Commitment To You

  • We will respond as quickly as possible to your submission.
  • We will keep you updated as we work to fix the bug you submitted.
  • We will not take legal action against you if you play by the rules.

The following finding types are specifically excluded from the bounty:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • HubSpot corporate infrastructure configuration (e.g., mail service SPF records)
  • Disclosure of known public files or directories, (e.g., robots.txt).
  • Clickjacking and issues only exploitable through clickjacking, unless accompanied by a real-world attack scenario and meaningful impact.
  • CSRF on forms that are available to anonymous users (e.g., the contact form), unless accompanied by a real-world attack scenario and meaningful impact.
  • Logout Cross-Site Request Forgery.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies
  • Lack of Security speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content messages
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites

Instructions for creating a HubSpot trial portal

Anyone may create a 30-day trial portal by navigating to: http://offers.hubspot.com/free-trial. When signing up, use your @bugcrowdninja.com email address.

All available functionality may be tested with the exception of email sends to email addresses you do not own. As noted above, sending phishing attacks or spam from a portal will be grounds for permanent disqualification.

With a few easy steps, it is possible to set up Landing Pages (i.e., pages with fillable fields), Site Pages, and Blog posts. It is also possible to enable the Customer Relationship Manager (CRM) capability:

  • click on the circular avatar image in the upper right corner
  • select "Settings"
  • go to "Products & Add-ons"
  • click the "Activate (FREE)" button

With a trial account, it is also possible to create an API key to send API requests. API requests may not exceed 10,000 per 24-hour period. To create an API key:

  • click on the circular avatar image in the upper right corner
  • select "Integrations"
  • click on "Get your HubSpot API key"
  • click the "Generate New Key" button

Information about HubSpot APIs, including example requests, is available at: developers.hubspot.com


Instructions for creating a Sidekick account

Anyone can create a free Sidekick account by navigating to: https://app.getsidekick.com/signup. When signing up, use your @bugcrowdninja.com email or Gmail address. As noted above, sending phishing attacks or spam through Sidekick will be grounds for permanent disqualification.

Once you have created an account, browse to the displayed URL with Chrome and install the plugin. If using Outlook or Apple Mail, options also exist to install the plugin into those clients.

Subsequent requests for Sidekick features are sent to either app.getsidekick.com or api.getsidekick.com. The typical request results in JSON responses.

Rules

This program follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.