Program stats

291 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$600 average payout (last 3 months)

Latest hall of famers

Recently joined this program

2174 total

Bugcrowd orchestrates the creativity of the crowd to solve some of cybersecurity's toughest challenges. Our own security is our highest priority.

If you think you’ve found a security vulnerability in our systems, we invite you to report it to us via our platform. We commit to working with you to get it assessed and handled appropriately, and offer cash rewards for valid, unique vulnerability reports.

This program is for reporting potential security vulnerabilities only. If you want to report a functional bug, require assistance with a submission, or have a general question, please visit our contact page. If you just want to try out or hack on the Bugcrowd platform, check out our Hack Me! program.

Our bounty program adheres strictly to Bugcrowd’s Vulnerability Rating Taxonomy – a collaborative, community-driven effort to classify common security vulnerabilities and identify baseline severity ratings based on real findings across hundreds of bug bounty programs. Before submitting your vulnerability, consult the VRT to determine its severity and whether it may be eligible for a reward. Vulnerabilities with a P5 baseline rating according to the VRT are generally not eligible for a bounty. If you’d like to make a suggestion to improve the VRT, you can create an issue on GitHub.


For explicitly in-scope targets, a report that is both valid and unique will result in a reward based on its final priority rating post-triage:

Priority   Reward
P1 $10,000
P2 $2,500
P3 $900
P4 $300
P5 $0


When presented with especially interesting High (P2) or Critical (P1) Priority vulnerabilities – especially if our internal knowledge allows us to identify a much greater impact than what an outside researcher's proof-of-concept may have suggested on its own – we may choose to award an additional bonus amount of up to 100% of the initial reward suggested by our priority guidelines. Such bonuses are always at our discretion.


Out of scope

We are most interested in vulnerabilities on our core platform and infrastructure, which run on Amazon Web Services. However, if you identify a host not listed in the Targets section that you can reasonably demonstrate belongs to Bugcrowd, feel free to submit a report asking about its eligibility. Such reports will not result in a penalty, even if it turns out that the given target is ineligible. If deemed eligible, reports against such targets will be assessed on a case-by-case basis (and will be considered for formal addition to the program's scope).

Authenticated testing is limited to whatever credentials you can self provision - no supplemental credentials or access will be provided for testing.

Third-party services

Bugcrowd uses a number of third-party providers and services – including a number hosted on subdomains of that are listed above as being Out of Scope. We cannot authorize security testing against systems that do not belong to us, but strongly suggest reporting issues identified within these services to the third-party directly:

Out-of-scope target     Company Report via, Pantheon Pantheon Bug Bounty
Cloudflare Cloudflare Bug Bounty Discourse Discourse Bug Bounty
DigitalOcean DigitalOcean Bug Bounty, Mailgun Contact Outreach Outreach Bug Bounty,, Marketo Email Hubspot Hubspot Bug Bounty, Email

However, if you believe an issue with one of our third-party service providers is the result of Bugcrowd's misconfiguration or insecure usage of that service (or you've reported an issue affecting many customers of the service that you believe Bugcrowd can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we'd appreciate your report regarding the issue.

Keep in mind that any reports regarding third-party services are likely to not be eligible for a reward – both cash and Kudos points.


This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This program requires explicit permission to disclose the results of a submission.