Program stats

183 vulnerabilities rewarded

Validation within 3 days
75% of submissions are accepted or rejected within 3 days

Latest hall of famers

Recently joined this program

339 total

Security researchers are increasingly interacting with software companies in order to find and fix the myriad of potential security issues that may arise in any sufficiently complex infrastructure. HubSpot takes those issues seriously, and appreciates the work of the white hat community in responsibly reporting any findings. We are running this bounty program in order to get a better understanding of our own security posture, and to give a deserved tip of the hat to the research community.


HubSpot reserves the right to ask the researcher to provide further clarification or a proof of concept exploit, before awarding any bounty. A reported vulnerability must clearly demonstrate the risk to the infrastructure or its users in order to receive a bounty.

Domains excluded from the bounty:#


Rate limiting

The HubSpot products use a WAF and other technologies that alert on or block malicious-looking and/or high rate traffic. If your traffic is being denied, stop running high volume scans and wait 24 hours. If your IP is still blocked after 24 hours and if you would like to be unblocked, please contact security<at> with your IP address, the HTTP response codes you received and a description of the test approach you were using when the block began.

Focus Areas

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Sensitive data exposure
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

The Ground Rules

  • Do not attempt to gain access to another user’s account or data (that is to say that you can do cross account testing, but only use accounts you own/control).
  • Use trial portals for all testing purposes. Portals built for production use may not be used for testing.
  • Do not perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
  • Do not publicly disclose a bug before it has been fixed.
  • Only test for vulnerabilities on sites you know to be operated by HubSpot. Excluded subdomains, e.g., should not be tested.
  • Do not impact other users with your testing, this includes testing for vulnerabilities in portals you do not own.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Ensure any portal that you're using for testing includes a user with your "" email address.
  • When in doubt, email us (

Our Commitment To You

  • We will respond as quickly as possible to your submission.
  • We will keep you updated as we work to fix the bug you submitted.
  • We will not take legal action against you if you play by the rules.

The following finding types are specifically excluded from the bounty:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • HubSpot corporate infrastructure configuration (e.g., mail service SPF records)
  • Disclosure of known public files or directories, (e.g., robots.txt).
  • Clickjacking and issues only exploitable through clickjacking, unless accompanied by a real-world attack scenario and meaningful impact.
  • CSRF on forms that are available to anonymous users (e.g., the contact form), unless accompanied by a real-world attack scenario and meaningful impact.
  • Logout Cross-Site Request Forgery.
  • Perceived excessive volumes of sent email (e.g., mail flooding).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Reverse tabnabbing
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies
  • Lack of Security speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content messages
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (, e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites

Instructions for creating a HubSpot trial portal

Anyone may create a 30-day trial portal by navigating to: When signing up, use your email address.

All available functionality may be tested with the exception of email sends to email addresses you do not own. As noted above, sending phishing attacks or spam from a portal will be grounds for permanent disqualification.

With a few easy steps, it is possible to set up Landing Pages (i.e., pages with fillable fields), Site Pages, and Blog posts. It is also possible to enable the Customer Relationship Manager (CRM) capability:

  • click on the circular avatar image in the upper right corner
  • select "Settings"
  • go to "Products & Add-ons"
  • click the "Activate (FREE)" button

With a trial account, it is also possible to create an API key to send API requests. API requests may not exceed 10,000 per 24-hour period. To create an API key:

  • click on the circular avatar image in the upper right corner
  • select "Integrations"
  • click on "Get your HubSpot API key"
  • click the "Generate New Key" button

Information about HubSpot APIs, including example requests, is available at:

Instructions for creating a HubSpot Sales account

Information about setting up a HubSpot Sales (previously Sidekick) account is available at:

When signing up, use your email or Gmail address. As noted above, sending phishing attacks or spam through HubSpot Sales will be grounds for permanent disqualification.

Once you have created an account, install the Chrome plugin. If using Office365 or an IMAP service, options also exist to connect to those.

Subsequent requests for Sales features go to the HubSpot API (, Some features use services at the or domains.


This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.