• $25 – $500 per vulnerability
  • Up to $500 maximum reward
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

168 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

$100 average payout (last 3 months)

Recently joined this program

896 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at InVision. Every day new security issues and attack vectors are created. InVision strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Reward range

Last updated

Technical severity Reward range
p1 Critical $350 - $500
p2 Severe $150 - $300
p3 Moderate $75 - $100
p4 Low $25 - $50
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags Website Testing
  • Website Testing
  • ReactJS
  • NodeJS Website Testing
  • Website Testing
  • jQuery
  • nginx Browser Add-Ons (Chrome & Safari) Other
  • Website Testing

Out of scope

Target name Type Website Testing Website Testing Website Testing Website Testing Website Testing Website Testing

Additional Information on OOS
While we are focused on the security of our application, we must have some items that are not in scope. Rewards for out-of-scope submissions will be at the discretion of InVision and will be dependent upon the severity of the issue.

  • 0-day vulnerabilities that are less than 30 days old. Once 0-days are announced we need time to research if we are vulnerable, and patch our environment from development to production if necessary
  • Any content/information hosted or managed by a 3rd party (e.g. Zendesk, etc.)
  • 3rd party libraries, as we do not have development permissions
  • Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
  • Rate limiting
  • Clickjacking and issues only exploitable through clickjacking -Email related - SPF or DMARC records - Gmail "+" and "." acceptance - Email bombs - Unsubscribing from marketing emails

NOTE: Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden, if you find a request that takes too long to answer report it, please do not try to DoS the service.

Any domain/property of InVisionApp or not listed in the targets section is out of scope. This includes any/all subdomains not listed above. Scope is subject to change.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.