Linktree

With 30 million global users, Linktree is helping brands, artists, publishers, agencies and influencers better control their presence online. The security of our platform is more important than ever, and we believe the global security community is a big part of that.

The scope for Linktree's Bug Bounty program is inclusive of most of our assets. If you find something that would be impactful to our users, we want to hear about it.

Your participation in our Bug Bounty Program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us, you are indicating that you have read and agree to follow the rules set forth on this page.

Ratings/Rewards:

For this program Linktree is leveraging CVSS for gauging impact and paying out rewards. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

The translation between the CVSS Scores and bounties paid are outlined below:

CVSS Scores	VRT Equivalent
10.0 - 9.0	P1 / Critical
8.9 - 7.0	P2 / High
6.9 - 4.0	P3 / Medium
3.9 - 2.0	P4 / Low
1.9 - 0.0	P5 / Informational

Additionally, the following modifications have been made:

• Access control bypass issues in link lock features pointing to public content are classified as Low severity.
• Deleted assets/items that are still accessible are classified as Low severity.
• Cross-Site Scripting (XSS) attacks are considered at maximum a Medium severity.
• Obtaining access to individual paid features for Free accounts are classified as Low severity
• Sub-domain takeovers are considered at maximum a Medium severity.