Skip to main content
Image
hero background VDP

Five9 Vulnerability Disclosure Policy

We welcome responsible disclosure of security vulnerabilities affecting Five9 products, services, and infrastructure.

If you believe you’ve identified a security vulnerability, please report it to cybersecurity@five9.com. We review every legitimate report and work with researchers toward responsible resolution.
 

Info icon
Machine-readable security contacts are available via RFC 9116:

https://www.five9.com/.well-known/security.txt

Check icon In Scope

Please report vulnerabilities affecting Five9-owned assets, including:
 

  • Check icon Five9-owned domains and subdomains
  • Check icon Five9 cloud services and infrastructure
  • Check icon Public APIs and developer interfaces
  • Check icon Mobile applications (iOS and Android)
  • Check icon Customer portals and administrative interfaces
  • Check icon Other Five9-operated Internet-facing assets

Cross icon Out of Scope

The following are generally out of scope:

  • Cross icon Third-party services and integrations
  • Cross icon Social engineering (e.g. phishing, vishing)
  • Cross icon Physical attacks and access to facilities
  • Cross icon Encrypted traffic interception / decryption
  • Cross icon Rate limiting or throttling issues
  • Cross icon Missing SPF/DMARC records only
  • Cross icon Self-XSS and other low-impact issues
  • Cross icon Clickjacking without security impact
  • Cross icon Version disclosure
  • Cross icon Best-practice recommendations without exploitability

How to Report


Please report security vulnerabilities by emailing cybersecurity@five9.com. We prefer encrypted email using our PGP key.

Please include as many of the following details as possible:

  • Affected asset (URL, IP, hostname)
  • Vulnerability description
  • Steps to reproduce
  • Proof of concept (PoC)
  • Impact and severity
  • Screenshots or logs
  • Timestamps
  • Source IP address (if applicable)
  • Whether customer data was accessed (Y/N)
  • Any other relevant information

If you have any questions about whether something is in scope, please email us before testing.

Safe Harbor


Five9 is committed to supporting responsible security research. In accordance with this policy:

  • We will not pursue legal action against researchers acting in good faith within the scope of this policy
  • Please do not perform actions that could degrade service availability or impact other users
  • Triage and validate reported issues
  • Do not access, modify, or retain customer data beyond what is necessary to demonstrate the issue
  • Immediately stop testing and notify us if you encounter customer information

 

Five9 Security Team Commitment


We take every report seriously. We strive to:

  • Acknowledge reports within 3 business days
  • Provide status updates when appropriate
  • Triage and validate reported issues
  • Remediate validated issues based on risk
  • Coordinate disclosure when appropriate
  • Credit researchers when mutually agreed

Five9 does not currently offer monetary rewards under this Vulnerability Disclosure Policy.

Coordinated Disclosure


Researchers should not publicly disclose vulnerabilities until Five9 has:

  • Completed remediation, or
  • Provided written approval for disclosure

Please work with us to coordinate disclosure in a way that keeps our customers and the broader community safe.

 

Authorized Testing Guidelines


When testing Five9 systems, please:

  • Avoid actions that may impact customers or degrade service availability
  • Avoid automated high-volume scanning or denial of service testing
  • Do not modify or destroy data
  • Immediately stop if customer information is encountered
  • Follow all applicable laws and regulations
Encryption icon

Encryption (PGP Key)

We prefer encrypted email. You can download our current PGP public key here:

https://www.five9.com/.well-known/publickey.txt

Info icon

Questions?

For security reports or policy questions:

cybersecurity@five9.com