Keeper Security Public Bounty Program

  • $300 – $6,500 per vulnerability
  • Up to $10,000 maximum reward
  • Partial safe harbor

Program stats

  • Vulnerabilities rewarded 227
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days
  • Average payout $1,400 within the last 3 months

Latest hall of famers

Recently joined this program


Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

Keeper Security is transforming the way businesses and individuals protect their passwords and sensitive digital assets to significantly reduce cyber theft. Keeper is SOC 2 Certified, ISO 27001 Certified and utilizes best-in-class encryption to safeguard its customers. Keeper Security is committed to the industry best practice of responsible disclosure of potential security issues.


This Vulnerability Disclosure Policy sets out expectations when working with good-faith hackers,
as well as what you can expect from us.

If security testing and reporting are done within the guidelines of this policy, we:

  • Consider it to be authorized in accordance with Computer Fraud and Abuse Act,
  • Consider it exempt from DMCA, and will not bring a claim against you for bypassing any security or technology controls,
  • Consider it legal, and will not pursue or support any legal action related to this program against you,
  • Will work with you to understand and resolve the issue quickly, and
  • Will recognize your contributions publicly if you are the first to report the issue and we make a code or configuration change based on the issue. If at any time you are concerned or uncertain about testing in a way that is consistent with the Guidelines and Scope of this policy, please contact us before proceeding. To encourage good-faith security testing and disclosure of discovered vulnerabilities, we ask that you:
  • Avoid violating privacy, harming user experience, disrupting production or corporate systems, and/or destroying data,
  • Perform research only within the scope set out below, and respect systems and activities which are out-of-scope,
  • Contact us immediately if you encounter any user data during testing,
  • Use the identified communication channels to report vulnerability information to us and,
  • Keep information about any vulnerabilities you’ve discovered confidential until we’ve resolved them.


For the initial prioritization/rating of findings, this program will use the Bugcrowd
Vulnerability Rating Taxonomy
However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Please review the Quality Reporting section for additional guidelines as it pertains to Ratings/Rewards

Note: To unwrap and display Vault <> Server communication on the Web Vault, open the developer tools and type:
This will allow you to see the request/response to the server in JSON

On the Admin Console, the command to log additional request/response is:

If you need additional debug help, feel free to email us at

VRT Changes:

  • Any submissions stemming from throttling or spam testing will be rated as a P4.

Any domain/property of Keeper Security not listed in the targets section is out of scope. This
includes any/all subdomains not listed above.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.