HubSpot

We have exciting news for HubSpot!

There have been updates within Hubspot's scope as of April 06, 2023. This update brings about the following changes:

Due to HubSpot’s microservices architecture, it is not uncommon for researchers to come across IDOR vulnerabilities. When testing for IDORs, please make sure to only grant the low-privileged user permissions that affect the specific object or feature being tested. Over-permissioning may cause false positive results (e.g. testing IDORs within CRM - Tickets but also granting Deals, Contacts, Communicate, Blogs, or any other unnecessary permissions). Please note that there are endpoints within the HubSpot application that require one of multiple scopes to access. For instance, /endpoint may require any of [scope-1, scope-2, scope-3] so over-permissioning may cause you to observe intended behavior which could result in a “Not Applicable” submission status. In other cases, IDOR submissions that are non-exploitable, by design, or deemed acceptable risk to HubSpot may be marked as a P5 - Informational (e.g. an endpoint revealing a private report’s metadata (e.g. the report title) that doesn't contain any sensitive info but NOT the report data itself). Ultimately, IDOR findings must have a demonstrable impact on our users, their data, or their company reputation to be eligible for bounty rewards.

As always, please be sure to review the program brief in detail, and if you have any questions, please reach out support@bugcrowd.com.

Happy Hunting!