• $200 – $15,000 per vulnerability

Out of Scope (Canva Pro, Subdomain Takeovers, Zeetings)

Effective immediately, the following are now out of scope:

  • Canva Pro: client-side ACL manipulation to enable Canva Pro without a current Canva Pro subscription. We've had some great reports. More reports are only going to tell us what we know, which is that we need to move these restrictions server side!
  • Subdomain takeovers where DNS points at Pagely: Our friends at Pagely have asked that if you do find a potential subdomain takeover, don't put together a POC on their platform.
  • Zeetings: Though Zeetings is a Canva-owned company, it's not part of our program. We appreciate reports, but won't pay rewards under this program.

Please re-review the bounty brief in detail and adjust your testing, and all scanners accordingly to make sure you are only testing and submitting in-scope bugs.

Any pending submissions submitted before the out of scope changes will be reviewed and processed accordingly.

If you have any questions on the change in the scope, please reach out to