• $250 – $3,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 73
  • Validation within about 1 month 75% of submissions are accepted or rejected within about 1 month
  • Average payout $1,000 within the last 3 months

Latest hall of famers

Recently joined this program

531 total


Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

Directly invites you to test their primary webapp and any other discoverable subdomains or attack surface that's part of * Upon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution.
Please note that Directly is only looking for sandbox environment issues (nothing in production). If you go into production sites, your IP may get banned.

Thanks again for making Directly a safer place for our customers and experts by disclosing security issues responsibly! Good luck and happy hunting!


For initial ratings, this program will use the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.