If you are a security expert or researcher, and you believe that you have discovered a security related issue with Deskpro’s online systems, we appreciate your help in disclosing the issue to us responsibly. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it.
Please send submissions to security@deskpro.com (click here for our PGP key). You may also send us a secure message via Protonmail at deskpro-security@protonmail.com.
Please review our standard terms before you begin.
If you are a security expert or researcher, and you believe that you have discovered a security related issue with Deskpro’s online systems, we appreciate your help in disclosing the issue to us responsibly. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it.
Deskpro has adopted Bugcrowd's Vulnerability Rating Taxonomy (VRT) for prioritizing reported bugs. We currently pay out for P1-P3 vulnerabilities, and some P4 vulnerabilities also qualify.
We appreciate all submissions. Even for submissions that don't result in a payout (such as some P4 issues or >P4 issues), we are happy to recommend you via a recognized bug bounty or security website, or you can choose to be listed on our hall of fame.
The Deskpro product itself is available in two forms. You can download and run it on-premise, or we run a SaaS version of it in our cloud. The product is the same in both cases. The Deskpro Product is a helpdesk application you can run in your browser. It can broadly be split into three pieces:
You can download Deskpro and run it locally for testing: https://www.deskpro.com/on-premise-download/. The source code for Deskpro itself is included in the download if you wish to step through it.
Alternatively, you may sign up for a free hosted trial at https://www.deskpro.com/start/
Our Cloud Platform is the technology behind our hosted/SaaS service we run on AWS. We accept submissions about bugs relating to the infrastructure of our platform such as the servers used to run the product.
The best way to begin researching the platform is to sign up for a demo account from https://www.deskpro.com/start/. This will create an instance of the product for you, and you can use that as the basis for your research.
There are some submissions that we can't accept for rewards. These are typically issues that we already are aware of, or issues that we think demonstrate business value that outweighs low-level risk, or low-risk issues that are unlikely to result in a code change.
Here is a list of submissions that we suggest you do not report unless you can demonstrate a high-impact vulnerability. This list is a variation of Bugcrowd's list of common non-qualifying types:
We wish to thank the following security researchers:
Try Deskpro for free. No credit card required. 30 second signup.