Program stats

287 vulnerabilities rewarded

Validation within 6 days
75% of submissions are accepted or rejected within 6 days

$286 average payout (last 3 months)

Latest hall of famers

Recently joined this program

2146 total

Bugcrowd orchestrates the creativity of the crowd to solve some of cybersecurity's toughest challenges. Our own security is our highest priority. If you think you’ve found a security vulnerability in our systems we invite you to report it to us via our platform. We commit to working with you to get it resolved, and offer cash rewards for unique issues.

This bounty follows Bugcrowd’s standard disclosure terms, which can be found at This set of terms applies to many of the programs Bugcrowd hosts for other companies, so we encourage you to take a moment to get to know them!


Out of scope



Vulnerabilities that we think violate our fundamental security/trust model (e.g. escalation of privilege from unauthenticated to admin, privileged remote code execution, access to vulnerability data) will be considered P1 and eligible for a minimum of $5,000.


Any vulnerability that we fix in response to a submission via our program will be eligible for a minimum of $200. Touch the code, pay the bug.

0-day bonus

CrowdControl ( is primarily built on Ruby on Rails and a variety of databases on the backend. If you report a unique vulnerability in CrowdControl because of an unknown vulnerability in FOSS software, Bugcrowd will apply a “0-day Bonus” of not less than 3x the normal reward.

Out of scope

Bugcrowd uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third party systems will be assessed case-by-case, and most likely will not be eligible for a reward.

Third party services used by Bugcrowd include, but aren’t limited to:

Bugcrowd hosts that resolve to third-party services include:

At this time, authenticated testing is limited to whatever credentials you can self provision - no supplemental credentials or access will be provided for testing.

a note about

The main domain runs on a third-party hosting platform using Wordpress and minimal plugins. We do not maintain this codebase, but as referenced above, impactful vulnerabilities in third-party systems/code will be assessed on a case-by-case basis.


This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.

This program requires explicit permission to disclose the results of a submission.