Zendesk aims to keep its Service safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Service, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details.
How can I participate?
If you discover a security vulnerability, we encourage you to report it by following these steps:
- Sign up for an account at hackerone.com, if you do not have one already.
- Share the details of any suspected vulnerabilities by filing a report
- Our Security Ops team will evaluate your report and inform you of the status of your report.
- Reports that carry an acceptable risk but demonstrate a valid security-related behavior will be closed as informative
- Identical reports will be marked as “Duplicate[s]” of the original submission; the original report can be marked as (but not limited) to “Triaged”, “N/A”, or “Informative.”
- If you are the first to submit a report for a valid vulnerability, our team will be in contact with you to discuss the conditions of the bounty. Any duplicate reports will not be rewarded.
In your report, please include the following information:
- Vulnerable URL - the endpoint where the vulnerability occurs;
- Vulnerable Parameter - if applicable, the parameter where the vulnerability occurs;
- Vulnerability Type - the type of the vulnerability;
- Steps to Reproduce - step-by-step information on how to reproduce the issue
- Screenshots or Video - a demonstration of the attack; and
- Attack Scenario - an example attack scenario may help demonstrate the risk and get your issue resolved faster.
Where can I find more information?
This article is meant to be a brief overview of Zendesk's Bug Bounty Program. For full details, please view our official posting here: https://hackerone.com/zendesk