
Found XSS in Help Scout, apparently they don’t pay for bug reports - wilddeer
Found a pretty serious XSS in Help Scout. It’s trivial to force the user to trigger it and after that you can pretty much do whatever you want: steal, modify and delete emails, steal user credentials, etc.<p>Turns out they don’t have any bug bounty program. Their Hackerone program is suspended (https:&#x2F;&#x2F;hackerone.com&#x2F;helpscout). Judging by the links on that page, there was once info regarding bug reporting on their security policy page, it’s all cleaned up now.<p>Also, their Hackerone suspension notice is... ehm... “catch up on the backlog of reports and prioritize other improvements”. Prioritizing new features over a backlog of security reports, mkay.
======
wilddeer
Oh, and I did write to them directly, by the way. They told me there won’t be
any reward.

