Our development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.

• Our online services (GitHub Pages).
• Version disclosure.
• Lack of security headers.
• Cookies without a secure flag.
• Recently disclosed 0-day vulnerabilities
• Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
• Vulnerabilities are contingent on physical attack, social engineering, spamming, DDOS attack, etc.
• Vulnerabilities affecting outdated or unpatched browsers.
• Bugs that have not been responsibly investigated and reported.
• Issues that aren't reproducible.
• Issues that we can't reasonably be expected to do anything about.

• Our open-source projects.

Please report security issues to the email address found on https://www.freshbooks.com/policies/responsible-disclosure