• Points – $500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

132 vulnerabilities rewarded

Validation within about 16 hours
75% of submissions are accepted or rejected within about 16 hours

$250 average payout (last 3 months)

Recently joined this program

879 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Pantheon is the professional website platform that gives Drupal and WordPress developers everything they need to build, launch, and run solid websites. We maintain customer privacy, security, and site availability as primary responsibilities of our operation, preferring defense in depth over reactive solutions. We strive to stay abreast of the latest state-of-the-art security developments by working with security researchers. We appreciate the researchers' efforts to help create a more secure Internet.

Reward range

Last updated

Technical severity Reward range
p1 Critical $50 - $500
p2 Severe $25 - $250
p3 Moderate Up to: $100
p4 Low Up to: $75
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags Other
  • Moment.js
  • jQuery
  • Modernizr
  • Backbone

- Only is in scope.

- All other areas/domains are out of scope

- Please do NOT open support tickets

- Submit Proof-Of-Concept videos using supported methods only

When creating an account please use the following syntax for email:

In addition to Standard Disclosure Terms, the following guidelines apply:

  • Please do not test our capacity or ability to withstand Denial of Service attacks.
  • Register for free accounts to test.
  • Please test using your own account(s).
  • Absolutely no attacks or exploits against accounts not created by you.
  • Cross-account access may only attempted between accounts controlled by you.
  • No automated off-the-shelf scanners (like Acunetix or the Burp Suite).
  • Limit scripted / API tests must be rate limited to 1 request per second.

The following finding types are specifically excluded from the bounty:

  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Pantheon not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Pantheon, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.