Contrast Security

  • Points – $3,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 65
  • Validation within 8 days 75% of submissions are accepted or rejected within 8 days
  • Average payout $1,083.33 within the last 3 months

Latest hall of famers

Recently joined this program

Welcome to Contrast Security’s Bug Bounty Program with BugCrowd! We are excited to invite the security community to help us identify and address vulnerabilities in our Secure Code Platform.

Our platform provides Interactive Application Security Testing (IAST), Runtime Application Security Protection (RASP), Static Application Security Testing (SAST), and Software Composition Analysis (SCA) to help organizations secure their applications from cybersecurity threats.

We are looking for researchers to find and report vulnerabilities in our platform, such as:

  • Cross-Site Scripting (XSS)
  • SQL injection (and other injection vulnerabilities)
  • Authentication and Authorization issues
  • Broken Access Control
  • Security Misconfigurations
  • Sensitive Data Leakage
  • Denial of Service (DoS) vulnerabilities

We pay out generous bounties for eligible vulnerabilities, and we're committed to working with researchers to quickly remediate any issues that are discovered.

Join us in our mission to Get Secure Code Moving Faster™ by participating in our bug bounty program. We are excited to see what you can find!

For platform testing, each researcher will be assigned a dedicated test instance.

Please see the Testing Information section below for further details.

Do not try to further pivot into the network by using a vulnerability. The rules around Remote Code Execution (RCE), SQL Injection (SQLi), vulnerabilities allowing you to access file/folder structure, defacement and file uploads are listed below.

Do not try to exploit service providers we use (hosting, domain registrar, email, marketing, etc.). Contrast does not authorize you to perform any actions against non-Contrast owned property/system/service/data. If you are unsure if a system you discovered belongs to Contrast or not, ask first before testing further.

If you encounter Personally Identifiable Information (PII) contact us at immediately. Do not proceed with access and immediately purge any local information, if applicable.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.