Zendesk will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. We won’t take legal action against, suspend, or terminate access to the Service of those who discover and report security vulnerabilities responsibly. Zendesk reserves all of its legal rights in the event of any noncompliance.
How can I participate?
If you discover a security vulnerability, we encourage you to report it by following these steps:
- Sign up for an account at hackerone.com, if you do not have one already.
- Share the details of any suspected vulnerabilities by filing a report
- Our Security Ops team will evaluate your report and inform you of the status of your report.
- Reports that carry an acceptable risk but demonstrate a valid security-related behavior will be closed as informative
- Identical reports will be marked as “Duplicate[s]” of the original submission; the original report can be marked as (but not limited) to “Triaged”, “N/A”, or “Informative.”
- If you are the first to submit a report for a valid vulnerability, our team will be in contact with you to discuss the conditions of the bounty. Any duplicate reports will not be rewarded.
In your report, please include the following information:
- Vulnerable URL - the endpoint where the vulnerability occurs;
- Vulnerable Parameter - if applicable, the parameter where the vulnerability occurs;
- Vulnerability Type - the type of the vulnerability;
- Steps to Reproduce - step-by-step information on how to reproduce the issue
- Screenshots or Video - a demonstration of the attack; and
- Attack Scenario - an example attack scenario may help demonstrate the risk and get your issue resolved faster.
Where can I find more information?
This article is meant to be a brief overview of Zendesk's Bug Bounty Program. For full details, please view our official posting here: https://hackerone.com/zendesk