• $300 – $10,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

421 vulnerabilities rewarded

Validation within 3 days
75% of submissions are accepted or rejected within 3 days

$898.04 average payout (last 3 months)

Latest hall of famers

Recently joined this program

2242 total

Bugcrowd orchestrates the creativity of the crowd to solve some of cybersecurity's toughest challenges. Our own security is our highest priority.

If you think you’ve found a security vulnerability in our systems, we invite you to report it to us via our platform. We commit to working with you to get it assessed and handled appropriately, and offer cash rewards for valid, unique vulnerability reports.

This program is for reporting potential security vulnerabilities only. If you want to report a functional bug, require assistance with a submission, or have a general question, please visit our contact page.

We’ve set up a bounty on the Bugcrowd platform called Hack Me!, where you’re welcome to hack as if on a customer’s bounty. Please do not ever test against a real customer’s bounty. As stated in our code of conduct, disruptive testing which affects other Researchers’ access to the testing environment, or adversely impacts a customer’s systems and/or accounts is prohibited.

Our bounty program adheres strictly to Bugcrowd’s Vulnerability Rating Taxonomy – a collaborative, community-driven effort to classify common security vulnerabilities and identify baseline severity ratings based on real findings across hundreds of bug bounty programs. Before submitting your vulnerability, consult the VRT to determine its severity and whether it may be eligible for a reward. Vulnerabilities with a P5 baseline rating according to the VRT are generally not eligible for a bounty. If you’d like to make a suggestion to improve the VRT, you can create an issue on GitHub.


When presented with especially interesting High (P2) or Critical (P1) Priority vulnerabilities – especially if our internal knowledge allows us to identify a much greater impact than what an outside researcher's proof-of-concept may have suggested on its own – we may choose to award an additional bonus amount of up to 100% of the initial reward suggested by our priority guidelines. Such bonuses are always at our discretion.

Reward range

Last updated

Technical severity Reward range
p1 Critical $2,501 - $10,000
p2 Severe $901 - $2,500
p3 Moderate $301 - $900
p4 Low $300 - $300
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags
bugcrowd.com Website Testing
  • Website Testing
  • Ruby on Rails
  • ReactJS
  • PostgreSQL
  • Elasticsearch
tracker.bugcrowd.com API Testing
  • Website Testing
  • Ruby on Rails
  • ReactJS
  • PostgreSQL
  • Elasticsearch
api.bugcrowd.com API Testing
  • API Testing
  • HTTP
  • Ruby on Rails
  • PostgreSQL
  • Elasticsearch
  • JSON
docs.bugcrowd.com Website Testing
  • Website Testing
  • HTML

Out of scope

Target name Type
www.bugcrowd.com Website Testing
blog.bugcrowd.com Website Testing
forum.bugcrowd.com Website Testing
email.bugcrowd.com Website Testing
email.forum.bugcrowd.com Website Testing
go.bugcrowd.com Website Testing
pages.bugcrowd.com Website Testing
events.bugcrowd.com Website Testing
researcherdocs.bugcrowd.com Website Testing
assetinventory.bugcrowd.com Website Testing

We are most interested in vulnerabilities on our core platform and infrastructure, which run on Amazon Web Services. However, if you identify a host not listed in the Targets section that you can reasonably demonstrate belongs to Bugcrowd, feel free to submit a report asking about its eligibility. Such reports will not result in a penalty, even if it turns out that the given target is ineligible. If deemed eligible, reports against such targets will be assessed on a case-by-case basis (and will be considered for formal addition to the program's scope).

Authenticated testing is limited to whatever credentials you can self provision - no supplemental credentials or access will be provided for testing.

Focus Areas

At Bugcrowd, the privacy and security of clients is of paramount importance - to this end, we're now offering direct incentives if researchers are able to identify Bugcrowd clients in a programmatic fashion. For this, there are two general groupings listed below. Note that brute forcing is out of scope (unless this could be used to reliably obtain client information), as is client-leaked preview links (e.g. https://bugcrowd.com/company?preview=a6c825b66c733a78c147bec1d51306b8), and as always, a PoC is required:

  1. Can you programmatically enumerate all non-public Bugcrowd clients? - up to $3500
  2. Can you programmatically enumerate some (>10) non-public Bugcrowd clients? - up to $1500 (this may be increased depending on impact)

Other findings will be reviewed on a case-by-case basis. Good luck and happy hunting!

Specific Exclusions

Information implying but not proving the existence of customers or private programs

Examples include:

  • Preview links to bounties that are not also listed as public
  • Logos or bounty codes for customers that do not have public programs
  • Enumeration of usernames, emails, or organization names

Submissions regarding the existence of private programs or undisclosed customers must include compelling proof that a program or customer exist and should be private and that there is attainable information to that effect.

Rate Limiting

  • Lack of rate limiting reports any kind that do not show at least 100 requests or an immediate impact will be considered not reproducible

Metadata (e.g. EXIF) not stripped from file attachments on Submissions

URLs: https://bugcrowd.com/<any program code>/new, https://bugcrowd.com/<any program code>/create, any instance of our embedded submission form

Our file upload feature deliberately and intentionally does not strip any data from any files attached to a Submission. Please do not report this as an issue, as it will be marked as not applicable or out-of-scope.

Third-party services

Bugcrowd uses a number of third-party providers and services – including a number hosted on subdomains of bugcrowd.com that are listed above as being Out of Scope. We cannot authorize security testing against systems that do not belong to us, but strongly suggest reporting issues identified within these services to the third-party directly:

Out-of-scope target     Company Report via
www.bugcrowd.com, blog.bugcrowd.com Pantheon Pantheon Bug Bounty
Cloudflare Cloudflare Bug Bounty
Drift Email
Intercom Intercom Bug Bounty
forum.bugcrowd.com Discourse Discourse Bug Bounty
email.bugcrowd.com, email.forum.bugcrowd.com Mailgun Contact
collateral.bugcrowd.com Outreach Outreach Bug Bounty
bounce.bugcrowd.com, go.bugcrowd.com, ww2.bugcrowd.com Marketo Email
pages.bugcrowd.com Hubspot Hubspot Bug Bounty
researcherdocs.bugcrowd.com Readme.io Email
events.bugcrowd.com Splash Email
assetinventory.bugcrowd.com BitDiscovery BitDiscovery

However, if you believe an issue with one of our third-party service providers is the result of Bugcrowd's misconfiguration or insecure usage of that service (or you've reported an issue affecting many customers of the service that you believe Bugcrowd can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we'd appreciate your report regarding the issue.

Keep in mind that any reports regarding third-party services are likely to not be eligible for a reward – both cash and Kudos points.

Social Media or Dead Link Takeovers

Social Media or Dead link takeovers will be marked as Not Reproducible unless impact is specifically shown with the report.

Past Employees

For all our past employee, we respect all the work you have done for us, however we will not be accepting any submission from them for the first 30 days since termination.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This program requires explicit permission to disclose the results of a submission.