Website Visitors

That’s you! Learn more about how we protect your privacy as your browse our website.

Partners

We love working with you! These agreements lay the foundation for our various partner programs.

Responsible Disclosure Program

Welcome to FreeAgent’s Vulnerability Disclosure Program! If you believe you have discovered a security vulnerability in FreeAgent products or have experienced a security incident related to FreeAgent products, please report the issue to aid in its resolution. Below, you will be able to find further information regarding submitting a security bug.

Reporting a Potential Security Vulnerability

If you wish to report any suspected vulnerability, please privately share full details of the suspected vulnerability via the submission form. Please refer to the Security related information and guidance below before submitting a new vulnerability.

Responsible Disclosure Program Guidelines

Please do:

  • Do Privately Share: Confidentially communicate the identified potential security flaw to FreeAgent before making it known to external parties or the general public.
  • Do Provide Comprehensive Details: Present a comprehensive, step-by-step account of the detected security vulnerability, along with intricate specifics about the implicated technology. This enables FreeAgent to replicate and validate the issue for the purpose of implementing a remedy.
  • Do Wait for Confirmation: Await acknowledgement from the FreeAgent security team regarding the successful resolution of the reported security vulnerability. As the resolution duration may vary depending on the complexity, sustaining an open channel of communication and establishing feasible remediation timelines is crucial.
  • Do Report OWASP Top 10: Submit reports for any vulnerabilities that fall within the OWASP Top 10 vulnerability categories.
  • Do Report Impactful Vulnerabilities: Disclose all other vulnerabilities that exhibit a demonstrable impact on FreeAgent or the security of FreeAgent’s clientele, encompassing instances involving the exposure of sensitive data.

Please do not:

  • Don’t Cause Harm: Engage in any activity, intentional or otherwise, that may potentially harm FreeAgent, its clients, systems, users, or applications.
  • Don’t Exploit: Attempt to exploit any identified security loophole.
  • Don’t Access Sensitive Data: Gain unauthorized access to, or make an effort to access, sensitive data.
  • Don’t Probe Further: Try to exhibit further compromise of sensitive data or initiating exploratory actions to uncover supplementary vulnerabilities.
  • Don’t Execute Harmful Actions: Execute or endeavor to execute actions such as DoS attacks, Spam attacks, Brute Force attacks, and similar methodologies that could influence the confidentiality, integrity, or availability of FreeAgent’s systems or data.
  • Don’t Engage in Unauthorized Activities: Conduct any form of physical, electronic, or social engineering attacks targeting FreeAgent’s personnel, contractors, assets, or data centers.
  • Don’t Violate Laws or Agreements: Violate any legal statutes or breach agreements in order to uncover security vulnerabilities./

Disclosure

FreeAgent requests that you do not publicly disclose any information regarding the vulnerability until it has had the opportunity to analyze the vulnerability, to respond to the notification, and to notify key users, customers, and partners.

The amount of time required to validate a reported vulnerability depends on the complexity and severity of the issue. FreeAgent takes all required security vulnerabilities very seriously and will always ensure that there is a clear and open channel of communication with the reporter. After validating an issue, FreeAgent coordinates public disclosure of the issue with the reporter in a mutually agreed timeframe and format.

FreeAgent Security Team Commitment

The FreeAgent security team will thank all security researchers who help strengthen our product and corporate infrastructure, as well as our and our customers’ security, by finding and reporting security vulnerabilities to us via our Responsible Disclosure Program.

​​FAQ

What all things I can report to FreeAgent?

You may report any bugs in relation to user experience, unexpected errors and any issues which you see as Privacy & Security concerns.

You can also report any rogue or phishing website, phishing email, sms phishing (SMiShing) and voice phishing (Vishing) associated with the FreeAgent brand.

If you suspect you already provided sensitive information to scammers on Call/SMS/Email/Website such as ID, Password or any other information related to FreeAgent, then you may report the incident directly at incident@freeagentsoftware.com, immediately.

Is it authorized to perform vulnerability scanning on any of the infrastructure associated with FreeAgent ?

No, not as on date. FreeAgent currently doesn’t authorize any vulnerability assessment and related activities against its infrastructure without formal engagement; only authorized consultants and researchers with Non-disclosure Agreement in place can scan the FreeAgent infrastructure for an approved period as per agreement.

Is it authorized to make a public post about the bugs I have discovered and/or reported on the FreeAgent Information System?

No, currently FreeAgent does not authorize posting of Bugs associated with the FreeAgent information System on any forums, blogs, social media etc.

What is considered an unauthorized act and what are its implications?

Any unauthorized attempt to identify a vulnerability in any part of FreeAgent Information Infrastructure will be considered as an unauthorized act. Unauthorized acts include but are not limited to scanning, hacking attempts, source code theft, disclosure of confidential information, hosting phishing pages, phishing scam and Identity impersonation of FreeAgent personnel. An unauthorized act may attract appropriate disciplinary action at the sole discretion of the management.

Is there any associated reward for reporting bugs or FreeAgent has a plan to introduce one in future?

While FreeAgent is not currently offering a bug bounty, it is on the roadmap. The launch of such a program will be announced officially through an update on this page. However, as an exception to the ongoing roadmap, based on the severity of the reported bug/security issue, the company may make an internal decision on whether the vulnerability qualifies for a bounty.