Security researchers are increasingly interacting with software companies in order to find and fix the myriad of potential security issues that may arise in any sufficiently complex infrastructure. HubSpot takes those issues seriously, and appreciates the work of the white hat community in responsibly reporting any findings. We are running this bounty program in order to get a better understanding of our own security posture, and to give a deserved tip of the hat to the research community.

Disclaimer
HubSpot reserves the right to ask the researcher to provide further clarification or a proof of concept exploit, before awarding any bounty. A reported vulnerability must clearly demonstrate the risk to the infrastructure or its users in order to receive a bounty.

---

In Scope Domains:

In addition to the targets above, HubSpot Marketing and CMS customers often host content on the HubSpot platform. Customer domains will be CNAME'd to a subdomain like:
groupXX.sites.hscoscdnYY.net, where X and Y are the numeric identifier for the content path.

Vulnerabilities thought to be introduced by HubSpot's hosting platform and therefore may affect multiple HubSpot customers are in-scope for this program. Please report those here. It is possible that a customer has introduced the vulnerability (e.g., XSS, etc); we will investigate and respond to those reports.

Out of Scope Domains:

• blog.hubspot.com
• shop.hubspot.com
• community.hubspot.com
• surveys.success.hubspot.com
• integrate.hubspot.com
• ux.hubspot.com
• ink1001.hubspot.com

Rate limiting

The HubSpot products use a WAF and other technologies that alert on or block malicious-looking and/or high rate traffic. If your traffic is being denied, stop running high volume scans and wait 24 hours. If your IP is still blocked after 24 hours and if you would like to be unblocked, please contact security<at>hubspot.com with your IP address, the HTTP response codes you received and a description of the test approach you were using when the block began.

Focus Areas

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Authentication or authorization flaws
• Server-side code execution bugs
• Sensitive data exposure
• Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

The Ground Rules

• Do not attempt to gain access to another user’s account or data (that is to say that you can do cross account testing, but only use accounts you own/control).
• Use trial portals for all testing purposes. Portals built for production use may not be used for testing.
• Do not perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
• Do not publicly disclose a bug before it has been fixed.
• Only test for vulnerabilities on sites you know to be operated by HubSpot. Excluded subdomains, e.g. shop.hubspot.com, should not be tested.
• Do not impact other users with your testing, this includes testing for vulnerabilities in portals you do not own.
• Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
• Ensure any portal that you're using for testing includes a user with your "@bugcrowdninja.com" email address.
• When in doubt, email us (security@hubspot.com)

Our Commitment To You

• We will respond as quickly as possible to your submission.
• We will keep you updated as we work to fix the bug you submitted.
• We will not take legal action against you if you play by the rules.

The following finding types are specifically excluded from the bounty:

• Descriptive error messages (e.g. Stack Traces, application or server errors).
• HTTP 404 codes/pages or other HTTP non-200 codes/pages.
• Fingerprinting / banner disclosure on common/public services.
• HubSpot corporate infrastructure configuration (e.g., mail service SPF records)
• Disclosure of known public files or directories, (e.g., robots.txt).
• Clickjacking and issues only exploitable through clickjacking, unless accompanied by a real-world attack scenario and meaningful impact.
• CSRF on forms that are available to anonymous users (e.g., the contact form), unless accompanied by a real-world attack scenario and meaningful impact.
• Logout Cross-Site Request Forgery.
• Perceived excessive volumes of sent email (e.g., mail flooding).
• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
• Reverse tabnabbing
• Lack of Secure/HTTPOnly flags on non-sensitive Cookies
• Lack of Security speedbump when leaving the site.
• Weak Captcha / Captcha Bypass
• Login or Forgot Password page brute force and account lockout not enforced.
• OPTIONS HTTP method enabled
• HTTPS Mixed Content messages
• Username / email enumeration
  • via Login Page error message
  • via Forgot Password error message
• Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • Content-Security-Policy-Report-Only
• SSL Issues, e.g.
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL weak / insecure cipher suites
• Submissions related to user-defined content on preview domains *.hs-sites.com or file manager contents on CDN comains, unless accompanied by a real-world impact to HubSpot users. The HubSpot platform can be used to host user-created content. It is expected that syntactically correct Javascript or HTML that an authenticated and authorized user adds to a hosted website would render in a browser.

---

Instructions for creating a HubSpot trial portal

Anyone may create a 30-day trial portal by navigating to: http://offers.hubspot.com/free-trial. When signing up, use your @bugcrowdninja.com email address.

All available functionality may be tested with the exception of email sends to email addresses you do not own. As noted above, sending phishing attacks or spam from a portal will be grounds for permanent disqualification.

With a few easy steps, it is possible to set up Landing Pages (i.e., pages with fillable fields), Site Pages, and Blog posts. It is also possible to enable additional features:

• click on the circular avatar image in the upper right corner
• select "Products & Add-ons"
• select the feature you would like to add

With a trial account, it is also possible to create an API key to send API requests. To avoid having access blocked, API requests should fall within the developers' guidelines: https://developers.hubspot.com/apps/api_guidelines. To create an API key:

• click on the circular avatar image in the upper right corner
• select "Integrations"
• click on "Get your HubSpot API key"
• click the "Generate New Key" button

Information about HubSpot APIs, including example requests, is available at: developers.hubspot.com

---

Instructions for creating a HubSpot Sales account

Information about setting up a HubSpot Sales (previously Sidekick) account is available at: https://knowledge.hubspot.com/articles/kcs_article/account/how-to-sign-up-for-hubspot-sales

When signing up, use your @bugcrowdninja.com email or Gmail address. As noted above, sending phishing attacks or spam through HubSpot Sales will be grounds for permanent disqualification.

Once you have created an account, install the Chrome plugin. If using Office365 or an IMAP service, options also exist to connect to those as well.

Subsequent requests for Sales features go to the HubSpot API (api.hubapi.com), app.hubspot.com.