Responsible Disclosure Policy
Zendesk aims to keep its Services safe for everyone and the security of our Products & data is of utmost priority. In addition to our own security program, Customers, prospective customer and security researchers are welcome to perform penetration testing on Zendesk instances that they own (or have explicit consent from the owner) at their discretion but must abide by the following terms:
In no event are you permitted to access, download or modify data residing in any other account. If you wish to test cross-account or access control vulnerabilities you must create multiple Zendesk instances
You are prohibited from attempting to social engineer Zendesk staff including contacting Zendesk via our Support channels without identifying yourself as a security researcher.
You are prohibited from attempting to upgrade your trial account to a paid account without payment or otherwise attempting to circumvent charges or fees.
You are prohibited from executing or attempting to execute a Denial of Service attack.
- Knowingly posting, transmitting, uploading, linking to, sending or storing any malicious or illegal software or files. You can find details on how we handle malicious attachments here
Testing in a manner that would result in the sending of unsolicited or unauthorised junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages
Attempting to rename an account or testing of the account name change functionality.
Reporting Security Vulnerabilities to Zendesk
As a security researcher or individual
If you are a security researcher and have discovered a security vulnerability in our Services, we appreciate your help in disclosing it to us in a responsible manner.
Our responsible disclosure process is hosted by HackerOne’s bug bounty program. Our program encompass the majority of our Products; please visit our HackerOne page to report any security vulnerabilities and access further details on our scope:
Only vulnerabilities submitted via this channel will be eligible for a reward. If you’ve previously responsibly disclosed a vulnerability to us, thank you. Our list of top contributors also lives at HackerOne and can be found here.
As a customer or prospective customer
If you are reporting a single vulnerability, please reach out to us via our Support channels, either through our widget or via our web form so we can properly assist you with your report.
We also welcome penetration testing report submissions if you or a third party have performed authorised testing on your account. You can pass reports through your account manager, customer success manager, through the channels mentioned above or email the results directly to [email protected]. If you are submitting a report, we ask that it contains at a minimum:
The dates testing occured;
The vendor/party(s) that performed the assessment;
Clearly explain the criteria on which vulnerabilities have been assessed for severity/risk (CVSS, likelihood/impact);
- Contain at least the following for each vulnerability:
Name & description;
Severity/risk, and;
Clear screenshots, steps to reproduce or other evidence of the presence of the vulnerability.
If you are concerned about the sensitivity or confidentiality of your report, please let us know in your message and a member of our Security team will be in touch with secure delivery options