Responsible Disclosure Program

FreeAgent works vigilantly to keep customer information secure, and we recognise the important role that security researchers can help play in both maintaining and improving our security posture.

Responsible disclosure

A disclosure is something you want to tell us about which impacts the confidentiality, integrity, or availability of FreeAgent’s systems and/or our customers’ data. We encourage security researchers who can, in good faith, identify vulnerabilities in our web and mobile applications by following the process and principles set out in this program below.

Guidelines

To promote the discovery and reporting of vulnerabilities, we ask that you provide a thorough proof-of-concept/replication of your findings including the steps taken; any videos and images; a fully documented description and business impact detailed.

  • You must create and use your own specific free trial account (sign-up here: https://signup.freeagent.com/signup) for the purposes of researching and identifying vulnerabilities;
  • You must share the security issue in full detail to FreeAgent only;
  • You must act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including Denial of Service);
  • You must comply with all applicable laws; and
  • You should understand that FreeAgent will take all valid reports seriously;

We will not entertain reports involving any of the following specific activities which are explicitly forbidden:

  • Please do not perform any social engineering attacks;
  • Please do not carry out any distributed denial of service (DDoS) attacks, including large scale account enumeration or brute force that might lead to the lock-out of a real user's account;
  • Please do not use any automated vulnerability/scanning tools (existing measures in place may permanently block an offending IP address); and
  • Please do not carry out any attack against our corporate email (@freeagent.com) and associated infrastructure.

Scope

In defining our program, we want to ensure parameters and scope are clearly defined so we can maximise our efforts in responding and ultimately fixing any vulnerabilities.

We want to exclude reports on trivial findings, including findings already available in the public domain (eg. Qualys’ SSL Test or equivalent); findings with no impact on our customers’ data (eg. content on the corporate website at www.freeagent.com); or findings on 3rd party sites that we cannot (easily) affect or control (although we will still take note and push upstream if impactful).

Please email your submission to: disclosure@freeagent.com

Targets

The following targets only will be considered in-scope:

  • signup.freeagent.com/*
  • yourSubDomain.freeagent.com/* (please note this must be your trial account)
  • dev.freeagent.com/*
  • api.sandbox.freeagent.com/*
  • api.freeagent.com/*
  • FreeAgent iOS app
  • FreeAgent Android app

All other targets and FreeAgent web presence should be considered out-of-scope, including the following:

  • anyOtherSubdomain.freeagent.com/*
  • www.freeagent.com/*
  • support.freeagent.com/*
  • api-discuss.freeagent.com/*
  • community.freeagent.com/*
  • engineering.freeagent.com/*

Out of scope

The following reported issues would be considered to be outside the scope of our program:

  • Our policies on the presence/absence of SPF/DMARC records.
  • Password, email and account policies, such as email id verification, reset link expiration, password complexity.
  • Attacks requiring physical access to a user's device.
  • Host header injections unless you can show how they can lead to stealing user data.
  • Reports of spam (ie. any report involving the ability to send emails unless the applicable rate limits we enforce can be bypassed).
  • Attacks that require an attacker application to have the permission to overlay on top of our mobile application(s) (eg. tapjacking).
  • Vulnerabilities affecting users of outdated browsers or platforms.
  • Vulnerabilities involving active content such as web browser add-ons.
  • Social engineering of FreeAgent employees, contractors or customers.
  • Any physical attempts against FreeAgent property or data centers.
  • Any report that discusses how you can learn whether a given username or email address has a FreeAgent account.
  • Any access to data where the targeted user needs to be operating a jailbroken/rooted mobile device.
  • Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope. We will accept and resolve a spoofing vulnerability where an attacker can inject an image or rich text (HTML). Pure text injection is out of scope.
  • Ability to share links without verifying email.
  • Absence of rate limiting, unless related to authentication.
  • IP/Port Scanning via FreeAgent services unless you are able to hit private IPs or FreeAgent servers.
  • Devices (iOS, Android) not getting unlinked on password change.
  • Phishing risk via unicode/punycode or right-to-left-override (RTLO) issues.
  • Disclosure of public information or information that does not present risk to FreeAgent or our customers (eg. web server type disclosure).
  • Vulnerabilities contingent on a client system previously being compromised.

Confidentiality

Information relating to our technology and information security arrangements is confidential. Any information you receive or collect about FreeAgent or any of our customers as part of your research prior to making a Responsible Disclosure submission, as detailed in this program, must be kept confidential and only used in connection with the Responsible Disclosure. You may not use, disclose or distribute any such information without our prior written consent. Any such information should be deleted once your submission has been received.

Disclaimer

FreeAgent reserves the right to change or withdraw this program at any time and is under no obligation to reward any submission in any way. We will not negotiate in response to duress or threats (eg. threat of withholding the vulnerability, or of releasing the vulnerability or any exposed data to the public). In any and all such cases, we will engage the appropriate authorities as necessary.