Responsible Disclosure

If you are a security expert or researcher, and you believe that you have discovered a security related issue with Deskpro’s online systems, we appreciate your help in disclosing the issue to us responsibly. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it.

Reporting

Please send submissions to security@deskpro.com (click here for our PGP key). You may also send us a secure message via Protonmail at deskpro-security@protonmail.com.

Please review our standard terms before you begin.

View our Standard Terms

Bug Bounty Program

If you are a security expert or researcher, and you believe that you have discovered a security related issue with Deskpro’s online systems, we appreciate your help in disclosing the issue to us responsibly. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it.

Deskpro has adopted Bugcrowd's Vulnerability Rating Taxonomy (VRT) for prioritizing reported bugs. We currently pay out for P1-P3 vulnerabilities, and some P4 vulnerabilities also qualify.

View PDF

• P1 Typically $500 to $5,000
• P2 - up to $1,000
• P3 - up to $500
• P4 - up to $250

We appreciate all submissions. Even for submissions that don't result in a payout (such as some P4 issues or >P4 issues), we are happy to recommend you via a recognized bug bounty or security website, or you can choose to be listed on our hall of fame.

Targets in Scope

Deskpro Product

The Deskpro product itself is available in two forms. You can download and run it on-premise, or we run a SaaS version of it in our cloud. The product is the same in both cases. The Deskpro Product is a helpdesk application you can run in your browser. It can broadly be split into three pieces:

1. The public help center. This is a user portal published by an organization for use by their users or customers. For example, KB articles, news, new ticket forms, chat, etc.
2. The agent interface: This is the main interface where staff members work. For example, answering tickets, taking chats, writing new content, etc.
3. The agent interface: This is where admins configure the software. For example, enable or disable features, define API keys, add or remove categories, etc.

You can download Deskpro and run it locally for testing: https://www.deskpro.com/on-premise-download/. The source code for Deskpro itself is included in the download if you wish to step through it.

Alternatively, you may sign up for a free hosted trial at https://www.deskpro.com/start/

Deskpro Cloud Platform

Our Cloud Platform is the technology behind our hosted/SaaS service we run on AWS. We accept submissions about bugs relating to the infrastructure of our platform such as the servers used to run the product.

The best way to begin researching the platform is to sign up for a demo account from https://www.deskpro.com/start/. This will create an instance of the product for you, and you can use that as the basis for your research.

Exclusions

While researching, refrain from:

• Denial of Service
• Spamming / flooding
• Social engineering (including phishing) of Deskpro staff or contractors

Non-qualifying Vulnerabilities

There are some submissions that we can't accept for rewards. These are typically issues that we already are aware of, or issues that we think demonstrate business value that outweighs low-level risk, or low-risk issues that are unlikely to result in a code change.

Here is a list of submissions that we suggest you do not report unless you can demonstrate a high-impact vulnerability. This list is a variation of Bugcrowd's list of common non-qualifying types:

• Descriptive error messages.
• Information disclosure with minimal security impact (e.g. stack traces, path disclosure, directory listings, logs, robots.txt, etc)
• Clickjacking and issues only exploitable through clickjacking that have minimal impact.
• CSRF on forms that are available to anonymous users (e.g. the contact form).
• CSRF with negligible security impact (e.g. adding to favourites).
• Presence of application or web browser 'autocomplete' or 'save password' functonality.
• Lack of Secure and HTTPOnly cookie flags.
• Lack of Security Speedbump when leaving the site.
• Weak or missing captcha / captcha bypass.
• SSL Attacks such as BEAST, BREACH, Renegotiation attack; SSL Forward secrecy not enabled; SSL Insecure cipher suites.
• Missing HTTP security headers (including Anti-MIME-Sniffing header X-Content-Type-Options) that do not lead to a direct exploitation.
• Tab nabbing.
• XSS where only possible by an administrator. E.g. administrators can modify HTML templates, that is not an example of an XSS vulnerability.
• Self-XSS that has no security impact (e.g. injecting HTML into your own RTE editor).
• Reports of third-party libraries without an actual proof-of-concept. E.g. if you are aware of a vulnerable library, then you need to submit a proof-of-concept showing that our use of the library is vulnerable.
• Out of Scope: Anything not related to the scope defined by the "Targets" section above. E.g. email spoofing, spf/dmarc/dkim, etc.
• Paypal / Price parameter tampering (Paypal payments are handled manually by a member of our staff).
• Weak passwork policy (password policies are controlled by the account administrator, not by us).

Special Thanks

We wish to thank the following security researchers:

• Yashar Shahinzadeh
• Raja Uzair Abdullah
• Vanshit Malhotr
• Rohan Kumar Birtia @c0ld_b00t3r
• Osama Ansari @AnsariOsama10
• Simone Memoli
• Shahmeer Amir @Shahmeer_Amir
• Babar Khan Akhunzada
• Ali Kabeel
• Hamid Ashraf
• Hammad Shamsi @HammadShamsii
• Salman Khan Champion Dezign Burg
• Owais Ahmed Siddiqui
• Nitin Goplani
• Shahzee Mirza @shaheemirza
• Daksh Patel @Dakshxss
• Shivam Kumar Agarwal @netanalysts
• Ankit Bharathan @provensec
• Abdulrahman Nour RedForce
• Tinu Tomy @TinuRock007
• Prachi Jain
• Rikesh Baniya
• Sheraz Khalid