• $100 – $1,500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

153 vulnerabilities rewarded

Validation within 10 days
75% of submissions are accepted or rejected within 10 days

$438.46 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at InVision. Every day new security issues and attack vectors are created. InVision strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

NOTE: We update the application regularly, so please check back for new functionality soon!

We're Recruiting Researchers:

We utilize this program as a recruiting ground for researchers. Researchers with valid submissions are eligible to receive an invitation to our private programs which we utilize to test our newest applications.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $1,200 - $1,500
p2 Severe $500 - $900
p3 Moderate $300 - $300
p4 Low $100 - $100
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Other Website Browser Add-Ons (Chrome & Safari) Other Website

Out of scope

Target name Type Website Website Website Website Website
Studio Other

Please note that the scope is subject to change

If adding screenshots (images) and/or screen recordings (video) to support the submission, please attach directly to the submission. Do not use third party sites to host them.

Any domain/property of InVisionApp or Muzli not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


8.16.18 Update: All testing must be performed using your email address. All others are subject to being blocked from the targets completely.

Targets - Self-Signup Account
- - Sign Up Here
- - Sign Up Here

Targets - No Account Needed

Focus Areas

The boards and prototypes sections have been heavily tested, so we would like to focus on the more obscure parts of the application. We also have some areas that change subdomains not listed as a Target, but those are in scope (ie,


While we are focused on the security of our application, we must have some items that are not in scope. Rewards for out-of-scope submissions will be at the discretion of InVision and will be dependent upon the severity of the issue. Issues submitted for tools/functionality that are still in BETA will not be rewarded, as it is not production-ready.

  • 0-day vulnerabilities that are less than 30 days old
    • Once 0-days are announced we need time to research if we are vulnerable, and patch our environment from development to production if necessary
  • Any content/information hosted or managed by a 3rd party (e.g. Zendesk, etc.)
  • 3rd party libraries, as we do not have development permissions
  • Any subdomain listed below (subject to change):
    • [mysubdomain] (any personalized subdomain will be rewarded at the discretion of InVision)

NOTE: Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden, if you find a request that takes too long to answer report it, please do not try to DoS the service.

The following finding types are specifically excluded from the bounty:


  • IDOR references for objects that you have permission to
  • Duplicate submissions that are being remediated
  • Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
  • Rate limiting
  • LiveShare termination
  • Lack of Security Speedbump when leaving the site
  • Open redirect
  • Clickjacking and issues only exploitable through clickjacking
  • File uploads
    • Some of our clients need to be able to upload Retina images, which can be GB in size
    • No file uploaded to the system is actually executable

System related

  • Patches released within the last 30 days
  • Networking issues or industry standards outside of InVision's control
  • Password complexity

Email related

  • SPF or DMARC records
  • Gmail "+" and "." acceptance
  • Email bombs
  • Unsubscribing from marketing emails

Information Leakage

  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages
  • Fingerprinting/banner disclosure on common/public services
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Cacheable SSL pages


  • CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form)
  • Logout Cross-Site Request Forgery (logout CSRF)
  • Weak CSRF in the APIs

Login/Session related

  • Forgot Password page brute force and account lockout not enforced
  • Lack of Captcha
  • Sessions not expiring after email change
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Session Timeout (available in our Enterprise product)

Missing HTTP security headers or flags, specifically (, e.g.

  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • Content-Security-Policy-Report-Only
  • Secure/HTTPOnly flags on non-sensitive cookies
  • Options flag is enabled

SSL Issues, e.g.

  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL weak / insecure cipher suites

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.