• $200 – $7,500 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 22
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days
  • Average payout $440.90 within the last 3 months

Latest hall of famers

Recently joined this program

With 30 million global users, Linktree is helping brands, artists, publishers, agencies and influencers better control their presence online. The security of our platform is more important than ever, and we believe the global security community is a big part of that.

The scope for Linktree's Bug Bounty program is inclusive of most of our assets. If you find something that would be impactful to our users, we want to hear about it.

Your participation in our Bug Bounty Program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us, you are indicating that you have read and agree to follow the rules set forth on this page.


For this program Linktree is leveraging CVSS for gauging impact and paying out rewards. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

The translation between the CVSS Scores and bounties paid are outlined below:

CVSS Scores VRT Equivalent
10.0 - 9.0 P1 / Critical
8.9 - 7.0 P2 / High
6.9 - 4.0 P3 / Medium
3.9 - 2.0 P4 / Low
1.9 - 0.0 P5 / Informational

Additionally, the following modifications have been made:

  • Access control bypass issues in link lock features pointing to public content are classified as Low severity.
  • Deleted assets/items that are still accessible are classified as Low severity.
  • Cross-Site Scripting (XSS) attacks are considered at maximum a Medium severity.
  • Obtaining access to individual paid features for Free accounts are classified as Low severity
  • Sub-domain takeovers are considered at maximum a Medium severity.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.