Bugcrowd orchestrates the creativity of the crowd to solve some of cybersecurity's toughest challenges. Our own security is our highest priority. If you think you’ve found a security vulnerability in our systems we invite you to report it to us via our platform. We commit to working with you to get it resolved, and offer cash rewards for unique issues.
This bounty follows Bugcrowd’s standard disclosure terms, which can be found at https://bugcrowd.com/resources/standard-disclosure-terms. This set of terms applies to many of the programs Bugcrowd hosts for other companies, so we encourage you to take a moment to get to know them!
Out of scope
Vulnerabilities that we think violate our fundamental security/trust model (e.g. escalation of privilege from unauthenticated to admin, privileged remote code execution, access to vulnerability data) will be considered P1 and eligible for a minimum of $5,000.
Any vulnerability that we fix in response to a submission via our program will be eligible for a minimum of $200. Touch the code, pay the bug.
CrowdControl (tracker.bugcrowd.com) is primarily built on Ruby on Rails and a variety of databases on the backend. If you report a unique vulnerability in CrowdControl because of an unknown vulnerability in FOSS software, Bugcrowd will apply a “0-day Bonus” of not less than 3x the normal reward.
Out of scope
Bugcrowd uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third party systems will be assessed case-by-case, and most likely will not be eligible for a reward.
Third party services used by Bugcrowd include, but aren’t limited to:
Bugcrowd hosts that resolve to third-party services include:
At this time, authenticated testing is limited to whatever credentials you can self provision - no supplemental credentials or access will be provided for testing.
a note about www.bugcrowd.com
The main www.bugcrowd.com domain runs on a third-party hosting platform using Wordpress and minimal plugins. We do not maintain this codebase, but as referenced above, impactful vulnerabilities in third-party systems/code will be assessed on a case-by-case basis.