Pantheon is the professional website platform that gives Drupal and WordPress developers everything they need to build, launch, and run solid websites. We maintain customer privacy, security, and site availability as primary responsibilities of our operation, preferring defense in depth over reactive solutions. We strive to stay abreast of the latest state-of-the-art security developments by working with security researchers. We appreciate the researchers' efforts to help create a more secure Internet.
|Technical severity||Reward range|
|p1 Critical||$50 - $500|
|p2 Severe||$25 - $250|
|p3 Moderate||Up to: $100|
|p4 Low||Up to: $75|
- Only dashboard.pantheon.io is in scope.
- All other areas/domains are out of scope
- Please do NOT open support tickets
- Submit Proof-Of-Concept videos using supported methods only
When creating an account please use the following syntax for email: firstname.lastname@example.org
In addition to Standard Disclosure Terms, the following guidelines apply:
- Please do not test our capacity or ability to withstand Denial of Service attacks.
- Register for free accounts to test.
- Please test using your own account(s).
- Absolutely no attacks or exploits against accounts not created by you.
- Cross-account access may only attempted between accounts controlled by you.
- No automated off-the-shelf scanners (like Acunetix or the Burp Suite).
- Limit scripted / API tests must be rate limited to 1 request per second.
The following finding types are specifically excluded from the bounty:
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Pantheon not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Pantheon, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.