Five9 Vulnerability Disclosure Policy
We welcome responsible disclosure of security vulnerabilities affecting Five9 products, services, and infrastructure.
If you believe you’ve identified a security vulnerability, please report it to cybersecurity@five9.com. We review every legitimate report and work with researchers toward responsible resolution.
Machine-readable security contacts are available via RFC 9116:
In Scope
Please report vulnerabilities affecting Five9-owned assets, including:
Five9-owned domains and subdomains
Five9 cloud services and infrastructure
Public APIs and developer interfaces
Mobile applications (iOS and Android)
Customer portals and administrative interfaces
Other Five9-operated Internet-facing assets
Out of Scope
The following are generally out of scope:
Third-party services and integrations
Social engineering (e.g. phishing, vishing)
Physical attacks and access to facilities
Encrypted traffic interception / decryption
Rate limiting or throttling issues
Missing SPF/DMARC records only
Self-XSS and other low-impact issues
Clickjacking without security impact
Version disclosure
Best-practice recommendations without exploitability
How to Report
Please report security vulnerabilities by emailing cybersecurity@five9.com. We prefer encrypted email using our PGP key.
Please include as many of the following details as possible:
- Affected asset (URL, IP, hostname)
- Vulnerability description
- Steps to reproduce
- Proof of concept (PoC)
- Impact and severity
- Screenshots or logs
- Timestamps
- Source IP address (if applicable)
- Whether customer data was accessed (Y/N)
- Any other relevant information
If you have any questions about whether something is in scope, please email us before testing.
Safe Harbor
Five9 is committed to supporting responsible security research. In accordance with this policy:
- We will not pursue legal action against researchers acting in good faith within the scope of this policy
- Please do not perform actions that could degrade service availability or impact other users
- Triage and validate reported issues
- Do not access, modify, or retain customer data beyond what is necessary to demonstrate the issue
- Immediately stop testing and notify us if you encounter customer information
Five9 Security Team Commitment
We take every report seriously. We strive to:
- Acknowledge reports within 3 business days
- Provide status updates when appropriate
- Triage and validate reported issues
- Remediate validated issues based on risk
- Coordinate disclosure when appropriate
- Credit researchers when mutually agreed
Five9 does not currently offer monetary rewards under this Vulnerability Disclosure Policy.
Coordinated Disclosure
Researchers should not publicly disclose vulnerabilities until Five9 has:
- Completed remediation, or
- Provided written approval for disclosure
Please work with us to coordinate disclosure in a way that keeps our customers and the broader community safe.
Authorized Testing Guidelines
When testing Five9 systems, please:
- Avoid actions that may impact customers or degrade service availability
- Avoid automated high-volume scanning or denial of service testing
- Do not modify or destroy data
- Immediately stop if customer information is encountered
- Follow all applicable laws and regulations
Encryption (PGP Key)
We prefer encrypted email. You can download our current PGP public key here: