Security researchers are increasingly interacting with software companies in order to find and fix the myriad of potential security issues that may arise in any sufficiently complex infrastructure. HubSpot takes those issues seriously, and appreciates the work of the white hat community in responsibly reporting any findings. We are running this bounty program in order to get a better understanding of our own security posture, and to give a deserved tip of the hat to the research community.

Disclaimer
HubSpot reserves the right to ask the researcher to provide further clarification or a proof of concept exploit, before awarding any bounty. A reported vulnerability must clearly demonstrate the risk to the infrastructure or its users in order to receive a bounty.

---

In Scope Domains:

In addition to the targets above, HubSpot Marketing and CMS customers often host content on the HubSpot platform. Customer domains will be CNAME'd to a subdomain like:
groupXX.sites.hscoscdnYY.net, where X and Y are the numeric identifier for the content path.

Vulnerabilities thought to be introduced by HubSpot's hosting platform and therefore may affect multiple HubSpot customers are in-scope for this program. Please report those here. It is possible that a customer has introduced the vulnerability (e.g., XSS, etc); we will investigate and respond to those reports.

Domains excluded from the bounty:

• blog.hubspot.com
• shop.hubspot.com
• community.hubspot.com
• surveys.success.hubspot.com
• integrate.hubspot.com
• ux.hubspot.com
• ink1001.hubspot.com

Traffic Control

The HubSpot products use a WAF and other technologies that alert on or block malicious-looking and/or high rate traffic. Using your @bugcrowdninja.com email address for your user and the Traffic Control proxy helps ensure that we don't block or remove your access.

• Bugcrowd Proxy Server Address: 52.73.20.92
• Bugcrowd Proxy Server Port: 25603
  
• Proxy authentication: bugcrowd:reverseninja
• Please verify your configuration before testing: http://whatismyip.com

PieSync and HubSpot Integration

PieSync connects HubSpot with other apps for an automatic 2-way contact sync.

Focus on testing the SAML configuration and processing of PieSync with HubSpot, using the "login with HubSpot" option.

Instructions for Creating a PieSync test account with HubSpot

1. Create a HubSpot portal. Refer to the “Instructions for Creating a HubSpot portal” section of this brief for information on how to do so.

2. Create a PieSync account on https://app.piesync.com/signup/ . Sign in to your account using the HubSpot sign in link once you have created a HubSpot portal. Do not use another integration type to sign in.

Publicly Exposed API Keys and Passwords


If you find any sensitive information (e.g API keys, passwords), do not attempt to validate them; simply report them directly to HubSpot and we may offer discretionary rewards in these cases.

Focus Areas

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Authentication or authorization flaws
• Server-side code execution bugs
• Sensitive data exposure
• Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

The Ground Rules

• Do not attempt to gain access to another user’s account or data.
• Do not perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
• Do not publicly disclose a bug before it has been fixed.
• Only test for vulnerabilities on sites you know to be operated by HubSpot. Excluded subdomains, e.g. shop.hubspot.com, should not be tested.
• Do not impact other users with your testing, this includes testing for vulnerabilities in portals you do not own.
• Automated scanners or automated tools to find vulnerabilities are forbidden and will be blocked, unless you've configured Traffic Control (see above).
• Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
• Ensure any portal that you're using for testing includes a user with your "@bugcrowdninja.com" email address.
• When in doubt, email us (security@hubspot.com)

Our Commitment To You

• We will respond as quickly as possible to your submission.
• We will keep you updated as we work to fix the bug you submitted.
• We will not take legal action against you if you play by the rules.

The following finding types are specifically excluded from the bounty:

• Descriptive error messages (e.g. Stack Traces, application or server errors).
• HTTP 404 codes/pages or other HTTP non-200 codes/pages.
• Fingerprinting / banner disclosure on common/public services.
• HubSpot corporate infrastructure configuration (e.g., mail service SPF records)
• Disclosure of known public files or directories, (e.g. robots.txt).
• Clickjacking and issues only exploitable through clickjacking, unless accompanied by a real-world attack scenario and meaningful impact.
• CSRF on forms that are available to anonymous users (e.g. the contact form), unless accompanied by a real-world attack scenario and meaningful impact.
• Logout Cross-Site Request Forgery (logout CSRF).
• Perceived excessive volumes of sent email (e.g., mail flooding).
• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
• Reverse tabnabbing
• Lack of Secure/HTTPOnly flags on non-sensitive Cookies
• Lack of Security speedbump when leaving the site.
• Weak Captcha / Captcha Bypass
• Login or Forgot Password page brute force and account lockout not enforced.
• OPTIONS HTTP method enabled
• HTTPS Mixed Content messages
• Username / email enumeration
  • via Login Page error message
  • via Forgot Password error message
• Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • Content-Security-Policy-Report-Only
• SSL Issues, e.g.
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL weak / insecure cipher suite
• Submissions related to user-defined content on preview domains *.hs-sites.com or file manager contents on CDN domains, unless accompanied by a real-world impact to HubSpot users. The HubSpot platform can be used to host user-created content. It is expected that syntactically correct Javascript or HTML that an authenticated and authorized user adds to a hosted website would render in a browser.
• Testing PieSync’s syncing capabilities on any app that is not HubSpot CRM, HubSpot Marketing, or HubSpot Service Hub is strictly out of scope.

---

Instructions for creating a HubSpot trial portal

Anyone may create a 30-day trial portal by navigating to: http://offers.hubspot.com/free-trial. When signing up, use your @bugcrowdninja.com email address.

All available functionality may be tested with the exception of email sends to email addresses you do not own. As noted above, sending phishing attacks or spam from a portal will be grounds for permanent disqualification.

With a few easy steps, it is possible to set up Landing Pages (i.e., pages with fillable fields), Site Pages, and Blog posts. It is also possible to enable additional features:

• click on the circular avatar image in the upper right corner
• select "Products & Add-ons"
• select the feature you would like to add

With a trial account, it is also possible to create an API key to send API requests. API requests should fall within the developers' guidelines: https://developers.hubspot.com/apps/api_guidelines. To create an API key:

• click on the circular avatar image in the upper right corner
• select "Integrations"
• click on "Get your HubSpot API key"
• click the "Generate New Key" button

Information about HubSpot APIs, including example requests, is available at: developers.hubspot.com

---

Instructions for creating a HubSpot Sales account

Information about setting up a HubSpot Sales (previously Sidekick) account is available at: https://knowledge.hubspot.com/articles/kcs_article/account/how-to-sign-up-for-hubspot-sales

When signing up, use your @bugcrowdninja.com email or Gmail address. As noted above, sending phishing attacks or spam through HubSpot Sales will be grounds for permanent disqualification.

Once you have created an account, install the Chrome plugin. If using Office365 or an IMAP service, options also exist to connect to those.