Our development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.
- Our online services (GitHub Pages).
- Version disclosure.
- Lack of security headers.
- Cookies without a secure flag.
- Recently disclosed 0-day vulnerabilities
- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
- Vulnerabilities that are contingent on physical attack, social engineering, spamming, DDOS attack, etc.
- Vulnerabilities affecting outdated or unpatched browsers.
- Bugs that have not been responsibly investigated and reported.
- Issues that aren't reproducible.
- Issues that we can't reasonably be expected to do anything about.
- Our open-source projects.
Please report security issues to the email address found on https://www.freshbooks.com/policies/responsible-disclosure