We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at CodePen. Every day new security issues and attack vectors are created. CodePen strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.


In scope

  • codepen.io

The following finding types are specifically excluded from the bounty:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • Self-XSS and issues exploitable only through Self-XSS.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password
  • The XSS needs to affect codepen.io, not any subdomain. So for instance you can access document.cookie from the Editor, but those cookies are from s.codepen.io which (shouldn't) contain anything sensitive.
  • Reporting of a missing 'secure' flag on the _codepen_session cookie. We take other steps to mitigate this issue.
  • The __cp_layout cookie, which leaks no secure data about the user.
  • Cipher issues like Forward Secrecy and Secure Client-Initiated Renegotiation


This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd's VRT.

This bounty requires explicit permission to disclose the results of a submission