• $200 – $15,000 per vulnerability

New Targets added

We hope your testing is going well. Here is an update that should make things a bit more interesting! We've added the Canva Developer Platform as targets:


Researchers can access the Canva Apps to create private apps that other users would see and will allow them to test out the ability to write custom javascript and host it on a canva-related domain. Researchers can access the Canva Developer Platform here:

As always, please see the program brief for the full details around testing. If you have any questions, please reach out to

Get out there and lay claim to those bugs!