• $200 – $15,000 per vulnerability

Program stats

  • Vulnerabilities rewarded 175
  • Validation within 8 days 75% of submissions are accepted or rejected within 8 days
  • Average payout $1,307.14 within the last 3 months

Latest hall of famers

Recently joined this program

1214 total

Canva is a tool that makes it possible to design anything and publish anywhere. Designing anything happens through web and mobile apps. Publishing anywhere includes online and physical publishing integrations. So there are plenty of areas for you to research.

People trust us with their personal content, business promotions, product info, media assets and more. While people can use Canva for free, they also pay us for access to premium media resources like image libraries, or for enterprise subscriptions that provide advanced tools, workflow management, and team management features.

We take the security of our systems seriously, and we value the security researcher community. Your responsible disclosure of security vulnerabilities by security researchers helps us ensure the security and privacy of our users.


We require that all researchers:

-Include a bug URL in the submission details otherwise the submission will not be accepted

  • Make a every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
  • Perform research only within the scope set out below
  • Use the identified communication channels to report vulnerability information to us
  • Use your @bugcrowdninja email address when testing

Thank you for participating, it is your work that will help to keep us secure.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission