• Points – $500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

127 vulnerabilities rewarded

Validation within 3 days
75% of submissions are accepted or rejected within 3 days

$1,000 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Pantheon is the professional website platform that gives Drupal and WordPress developers everything they need to build, launch, and run solid websites. We maintain customer privacy, security, and site availability as primary responsibilities of our operation, preferring defense in depth over reactive solutions. We strive to stay abreast of the latest state-of-the-art security developments by working with security researchers. We appreciate the researchers' efforts to help create a more secure Internet.


In scope

Target name Type Other

- Only is in scope.

- All other areas/domains are out of scope

- Please do NOT open support tickets

- Submit Proof-Of-Concept videos using supported methods only

When creating an account please use the following syntax for email:

In addition to Standard Disclosure Terms, the following guidelines apply:

  • Please do not test our capacity or ability to withstand Denial of Service attacks.
  • Register for free accounts to test.
  • Please test using your own account(s).
  • Absolutely no attacks or exploits against accounts not created by you.
  • Cross-account access may only attempted between accounts controlled by you.
  • No automated off-the-shelf scanners (like Acunetix or the Burp Suite).
  • Limit scripted / API tests must be rate limited to 1 request per second.

The following finding types are specifically excluded from the bounty:

  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Pantheon not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Pantheon, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.