Vulnerability Disclosure Program (VDP)
Welcome to Xero's VDP. Please take a moment to read the information below before disclosing a security issue.
Scope
Out-of-scope activities
Xero considers the following activities either potentially harmful to the platform, or not helpful in securing our specific environment or applications:
- Social engineering, including phishing
- Network DoS/DDoS
- Brute-force attacks
- Physical attacks
- Anything that modifies or destroys data
Out-of-scope vulnerability types
Xero considers the following vulnerability classes as out of scope:
- Missing web security headers
- Phishing-enablement-related issues, eg, tabnabbing
- Email server misconfiguration issues (SPF, DKIM, DMARC)
- No CSRF on logout button
- Lack of CSP security header and X-frame bypass
- Security-related cookie flags
- Wide SSL certificate scope
- Weak SSL ciphers / Insufficient TLS versions enabled
- Email template injection
- Results from automated tooling
- Broken links or redirects
- Internal IP address disclosure
- Minor infrastructure detail disclosure without significant impact
- Verbose error messages without significant impact
- Insecure HTTP request methods
- Issues related to unsupported browser versions
- Issues related to robots.txt
Safe harbour
Provided you're conducting vulnerability research in line with the terms set out here, we consider this research to be:
- authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- exempt from restrictions in our terms of use or other relevant terms and conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- lawful, helpful to the overall security of the Internet, and conducted in good faith.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please create a ticket with Bugcrowd Support for clarification before proceeding.
Terms of service
- Do not cause harm to Xero, its customers, shareholders, partners, or employees.
- Do not engage in any act that may cause an outage or stop any of Xero’s services.
- Do not engage in illegal activities, and ensure compliance with all applicable national, international, federal, state, and local laws and regulations.
- All activities performed must comply with the Xero terms of use, or any other relevant Xero terms.
Reward policy
Xero does not offer compensation for vulnerability disclosures. However all efforts to help make Xero more secure are greatly appreciated, especially high quality or high impact submissions.
Report quality
If you would like to submit a vulnerability report that Xero is likely to assess as high quality, please consider including the following in your submission:
- A thorough description of the issue, with clear and concise steps to reproduce.
- A detailed summary of the impact of the vulnerability.
- Clear proof of reliable reproduction of the vulnerability, such as screenshots, screen recordings, and so on.