• $150 – $5,000 per vulnerability
  • Up to $6,000 maximum reward

Program stats

  • Vulnerabilities rewarded 118
  • Validation within 4 days 75% of submissions are accepted or rejected within 4 days
  • Average payout $410 within the last 3 months

Latest hall of famers

Recently joined this program

1363 total

Caffeine is a social broadcasting platform for gaming, entertainment, and the creative arts. Our goal with this bug bounty program is give researchers a responsible way to disclose vulnerabilities, allow us to build a more secure service for all our users, and reward you for your hard work.

For this program, we are inviting researchers to test our websites, mobile apps, API services, auxiliary services and our Windows 10 broadcasting software.



  • Use an email address you actively monitor as this will be needed for account verification
  • Prefix your username with the letter bcr_.
  • You are welcome to test almost all of the components, and though it is not required, to start broadcasting yourself. To do so you will need at least 5Mbps upload and a supported game installed.

Behavioral Guidelines

Eligibility to participate in the program is contingent on your ability abide by the following - inability to do so will result in disqualification from rewards and/or removal from the program.

  • Do not sign up with an email address!
  • Do Not Spam live broadcasts
  • Do Not Create more than 5 test accounts
  • Do not attempt any tests on a broadcaster's live broadcast other than your own (
  • Do Not send messages to the API with the stage_id of any other person's stage.
  • You may "ignore" other users, but do not "report" any users or broadcasts.
  • In the Caffeine broadcasting software, there is a form to “Report an Issue”. Please do not test this more than once as it does go directly to our support team. Please delete any accounts that you have created but do not intend to use anymore


  • Subdomain takeovers will be initially rated as a P4 and will be upgraded/downgraded by the client accordingly.

Tips for Testing


Scanning is allowed, but keep in mind this is running on AWS who do actively block some scans. runs automated scans from Acunetix, Zap, Nessus, et al., against the in-scope targets – so using these tools is likely of minimal utility to researchers. As such, please avoid using them unless for targeted, specific testing, and then only at less than six requests per second / less than 50 automated requests on a single endpoint.


Caffeine uses an OAuth 2.0 style authentication system with a Request Token and an Access Token. Currently, Access Tokens expire after 15 minutes.
Submissions related to the access token not immediately expiring will be considered ineligible for reward (such as changing of password or logout).
If a researcher is able to demonstrate that the access token is valid for more than 15 minutes, that is likely to be viewed as a priority.
Refresh Tokens will expire immediately upon changing password.

Focus Areas

  • Of particular importance is if you can determine the IP address of a broadcaster. We believe there is nothing exposing the broadcaster's IP address, so if you find a workaround, expect to be compensated well.
  • Given the website is statically hosted on S3, the attack surface is small. Instead, focus more on the APIs, particularly focusing on account takeover techniques.
  • Props and the reaction interaction What are Props

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.