Security

If you discover a security vulnerability, we would love to hear about it.
By reporting security issues you are helping keep our platform safe & secure for everyone.

Reporting security issues

Email us at security@activecampaign.com
Please allow several business days for us to acknowledge.
We will keep you in the loop as we replicate and resolve reported issues.

Guidelines

  • We are NOT accepting any XSS reports that require a logged in user to add the XSS vulnerability. ONLY XSS reports that are public facing and can be done without being authenticated.

  • We are currently NOT accepting reports of X-FRAME, CSRF, Click Jacking, or token related security issues. These have been well documented internally and plans are in place already.

  • We are currently NOT accepting reports of cookie theft / session hijacking related security issues. These have been well documented internally and plans are in place already.

  • We are only looking for issues with our marketing platform. We are not looking for any items that involve third party integrations, our general sales, site, etc.

  • Provide detailed steps to reproduce the vulnerability.
  • Let us know if you would like to be listed on our “thanks” page.
  • Avoid anything that could cause service disruptions.
  • Avoid any unauthorized data access. Test on your account only.
  • Understand that we do not offer any cash bounties at this time.
  • We receive duplicate reports of issues often. In such cases we will only list the original reporter and not all reporters on our "Thanks" list
  • Do NOT run any automated testing tools against our web site or our application.

Thanks

The following researchers have helped keep ActiveCampaign safe and secure with responsible vulnerability disclosures: