Vulnerability
Disclosure Program

What is the VDP?

Safeguarding the security and integrity of the Five9 platform is critical to the service we provide to our customers, and we are dedicated to providing a secure product. We acknowledge, and value the experience, that the security research community frequently provides, and Five9 recognizes that developing a close relationship with the community will help improve our own security.

If you have discovered or believe you have discovered potential security vulnerabilities within Five9 services, we urge you to disclose your discovery to us in accordance with this Responsible Disclosure Program. Please be aware that this program has no monetary awards.

VDP Abstract

Where Do I Start?

Discovering Security Vulnerabilities

We encourage responsible security research on the Five9 services and products. Upon prior written approval we permit you to conduct vulnerability research and testing on the Five9 Services to which you have authorized access. Requests are to be sent to privacy@five9.com.

In no scenario shall your research and testing involve:

  1. Accessing, or attempting to access, accounts or data that does not belong to you or your Authorized Users,
  2. Any attempt to modify or destroy any data,
  3. Executing, or attempting to execute, a denial of service attack,
  4. Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages to any Five9 employee or contractor
  5. Testing third party websites, applications or services that integrate with Five9 Services,
  6. Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software, or otherwise attempting to interrupt or degrade the Five9 services, and
  7. Any activity that violates any applicable law, or breaching any agreements in order to discover vulnerabilities

Issues not to Report

  1. Disclosure of known public files or directories (e.g. robots.txt)
  2. Banner disclosure on common/public services
  3. HTTP/HTTPS/SSL/TLS security header configuration suggestions
  4. Lack of Secure/HTTPOnly flags on non-sensitive cookies
  5. Phishing or Social Engineering Techniques
  6. Presence of application/web browser 'autocomplete' or 'save password' operations
  7. Sender Policy Framework (SPF) configuration suggestions
  8. DMARC configurations

Reporting Security Vulnerabilities

Pending written approval from Five9 to conduct the research, if you believe you have discovered a security vulnerability issue, please share the details with Five9 by filling the form below.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Five9 Security Team Commitment

Please understand that your research is considered the Confidential Information of Five9 and any publication, reproduction or other distribution of any of the research is expressly prohibited without Five9’s prior written consent. If you responsibly submit a vulnerability report, the Five9 security team and associated development organizations will use reasonable efforts to:

  1. Respond in a timely manner, acknowledging receipt of your vulnerability report
  2. Provide an estimated time frame for addressing the vulnerability report
  3. Notify you when the vulnerability has been fixed

Report A Vulnerability or Bug