Pipedrive Vulnerability Disclosure Program
How Pipedrive handles security vulnerabilities
At Pipedrive, we take privacy and security very seriously.
We are committed to do everything we can to ensure the security of your data.
Reporting security issues
If you have discovered a security issue that you believe we should know about or have a security incident to report, please let us know about it and we will make every effort to quickly correct the issue.
As part of your research, do not intentionally view or access any data beyond what is needed to prove the vulnerability.
Privately share the details of the vulnerability or incident with Pipedrive security team by sending an email to security[at]pipedrive.com
Pipedrive's vulnerability disclosure policy
We ask you to abide by the following Pipedrive disclosure guidelines:
- Unless Pipedrive gives you permission, do not disclose any issues to the public or to any third parties.
- Please do not discuss vulnerabilities (even resolved ones) outside of the program without express consent from Pipedrive.
Bug submission requirements
When submitting a vulnerability or incident, please provide:
- the detailed description of the issue, the exploitability and impacts.
- the reproducible steps (if applicable) - if we cannot reliably reproduce the issue, we cannot fix it.
- Pipedrive company ID and name that you used.
All submissions must provide evidence and explanation of all steps required to reproduce the issue, which may include:
- PoC (videos, screenshots, payloads, web/API requests and responses)
- Users permissions and visibility groups (when reporting escalation or abuse of privileges in a company)
- References and recommendations.
The following actions are strictly prohibited and void reward eligibility
- Denial of Service attacks
- Any physical attempts against Pipedrive property or data centers
- Social engineering of Pipedrive staff or contractors
- Compromise of Pipedrive users or employees account