• $50 – $3,000 per vulnerability
  • Up to $10,000 maximum reward

Program stats

  • Vulnerabilities rewarded 265
  • Validation within 5 days 75% of submissions are accepted or rejected within 5 days
  • Average payout $582 within the last 3 months

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

lululemon invites you to test and help secure our assets - We appreciate your efforts and hard work in making us more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Special Rewards

We will reward an extra bounty to researchers who demonstrate any of the following that we have not already seen. Finding RCE/LFI using the same injection type on different endpoints will not count twice.


  • Remote unauthorized access to our customer database or datastore
  • Automated account takeover (ATO) requiring no interaction from the user.
    • This doesn't imply clicking on a valid XSS link to an account takeover, this purely means account takeover via backend means. Have you RCEd yourself in and somehow grabbed other session cookies? We require a full compromise like this to be eligible for reward.
  • Remote unauthorized access or arbitrary code execution to web servers.


  • Account takeover (ATO) with limited customer interactions; payloads can not be reused by individual researchers to get subsequent high-level reward.
  • User authentication beyond our current entry points (e.g. login, track order, return, checkout) Any vulnerability within our checkout process that exposes or compromises customers’ personal or financial data
  • We are particularly interested in methods / techniques that are undetectable by our current security infrastructure.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.