heading

Responsible Disclosure

If you are a security expert or researcher, and you believe that you have discovered a security related issue with Deskpro’s online systems, we appreciate your help in disclosing the issue to us responsibly.

We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it. Thank you.

Responsible Disclosures

Reporting

Please send submissions to security@deskpro.com (click here for our PGP key).

Please review our standard terms before you begin.

View our Standard Terms


Bug Bounty Program

If you are a security expert or researcher, and you believe that you have discovered a security-related issue with Deskpro’s online systems, we appreciate your help in disclosing the issue to us responsibly. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it.

Deskpro awards bounties based on severity and impact based on our own discretion. Here are typical reward values:

  • Critical: Awards up to $3,000. Examples: Remote Code Execution, SQL Injection
  • High: Awards up to $1,000. Examples: Significant Broken Authentication or Session Management, High-impact XSS (Stored), CSRF, and Privilege Escalation on critical functionality.
  • Medium: Awards up to $500. Examples: Access Control Bypass, Privilege Escalation, Low-impact XSS, CSRF, Open URL Redirection, Directory Traversal.
  • Low: Awards up to $100. Examples: Information Leakage, Incorrect API access controls, etc.

We appreciate all submissions. Even for submissions that don't result in a payout, we are happy to recommend you via a recognized bug bounty or security website, or you can choose to be listed on our hall of fame.

Targets in Scope

Deskpro Product

The Deskpro product itself is available in two forms. You can download and run it on-premise, or we run a SaaS version of it in our cloud. The product is the same in both cases. The Deskpro Product is a help desk application you can run in your browser. It can broadly be split into three pieces:

  1. The public help center. This is a user interface published by an organization for use by their users or customers. For example, KB articles, news, new ticket forms, chat, etc.
  2. The agent interface: This is the main interface where staff members work. For example, answering tickets, taking chats, writing new content, etc.
  3. The admin interface: This is where admins configure the software. For example, enable or disable features, define API keys, add or remove categories, etc.

You can download Deskpro and run it locally for testing: https://www.deskpro.com/on-premise. The source code for Deskpro itself is included in the download if you wish to step through it.

Alternatively, you may sign up for a free hosted trial at https://www.deskpro.com/start


Deskpro Cloud Platform

Our Cloud Platform is the technology behind our hosted/SaaS service we run on AWS. We accept submissions about bugs relating to the infrastructure of our platform such as the servers used to run the product.

The best way to begin researching the platform is to sign up for a demo account from https://www.deskpro.com/start. This will create an instance of the product for you, and you can use that as the basis for your research.


Exclusions


While researching, refrain from:

  • Denial of Service
  • Spamming / flooding
  • Social engineering (including phishing) of Deskpro staff or contractors



Non-qualifying Vulnerabilities

There are some submissions that we can't accept for rewards. These are typically issues that we already are aware of, or issues that we think demonstrate business value that outweighs low-level risk, or low-risk issues that are unlikely to result in a code change.


Here is a list of submissions that we suggest you do not report unless you can demonstrate a high-impact vulnerability. This list is a variation of Bugcrowd's list of common non-qualifying types:

  • Descriptive error messages.
  • Information disclosure with minimal security impact (e.g. stack traces, path disclosure, directory listings, logs, robots.txt, etc)
  • Clickjacking and issues only exploitable through clickjacking that have minimal impact.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • CSRF with negligible security impact (e.g. adding to favourites).
  • Presence of application or web browser 'autocomplete' or 'save password' functionality.
  • Lack of Secure and HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.
  • Weak or missing captcha / captcha bypass.
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack; SSL Forward secrecy not enabled; SSL Insecure cipher suites.
  • Missing HTTP security headers (including Anti-MIME-Sniffing header X-Content-Type-Options) that do not lead to a direct exploitation.
  • Tab nabbing.
  • Brute force, Rate-limiting, Velocity throttling, or other denial of service based issues.
  • XSS where only possible by an administrator. E.g. administrators can modify HTML templates, that is not an example of an XSS vulnerability.
  • XSS where only possible by agents with the "can use arbitrary HTML" permission.
  • Self-XSS that has no security impact (e.g. injecting HTML into your own RTE editor).
  • Reports of third-party libraries without an actual proof-of-concept. E.g. if you are aware of a vulnerable library, then you need to submit a proof-of-concept showing that our use of the library is vulnerable.
  • Out of Scope: Anything not related to the scope defined by the "Targets" section above. E.g. email spoofing, spf/dmarc/dkim, etc.
  • Paypal / Price parameter tampering (Paypal payments are handled manually by a member of our staff).
  • Weak password policy (password policies are controlled by the account administrator, not by us).



Special Thanks

We wish to thank the following security researchers:

Yashar Shahinzadeh

Raja Uzair Abdullah

Vanshit Malhotr

Rohan Kumar Birtia @c0ld_b00t3r

Osama Ansari @AnsariOsama10

Simone Memoli

Shahmeer Amir @Shahmeer_Amir

Babar Khan Akhunzada

Ali Kabeel

Hamid Ashraf

Hammad Shamsi @HammadShamsii

Salman Khan

Owais Ahmed Siddiqui

Nitin Goplani

Shahzee Mirza @shaheemirza

Daksh Patel @Dakshxss

Shivam Kumar Agarwal

Ankit Bharathan @provensec

Abdulrahman Nour RedForce

Tinu Tomy @TinuRock007

Prachi Jain

Rikesh Baniya

Sheraz Khalid

Adityan M

Agung Saputra Ch Lages (root.geek)

Kartik Charande@kartikrajput21

Abhinav Sharma@dtattoedhackers

Dhanraj Pawar LinkedIn

Hamza Farooqi

Hafi Shinwari

Amir Hossein Sharbati @hoseinroot

M.Qaisar Afridi

Gaurang Maheta

Sachin Gupta