• Points – $500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

126 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Pantheon is the professional website platform that gives Drupal and WordPress developers everything they need to build, launch, and run solid websites. We maintain customer privacy, security, and site availability as primary responsibilities of our operation, preferring defense in depth over reactive solutions. We strive to stay abreast of the latest state-of-the-art security developments by working with security researchers. We appreciate the researchers' efforts to help create a more secure Internet.


In scope

Target name Type Other

- Only is in scope.

- All other areas/domains are out of scope

- Please do NOT open support tickets

- Submit Proof-Of-Concept videos using supported methods only

When creating an account please use the following syntax for email:

In addition to Standard Disclosure Terms, the following guidelines apply:

  • Please do not test our capacity or ability to withstand Denial of Service attacks.
  • Register for free accounts to test.
  • Please test using your own account(s).
  • Absolutely no attacks or exploits against accounts not created by you.
  • Cross-account access may only attempted between accounts controlled by you.
  • No automated off-the-shelf scanners (like Acunetix or the Burp Suite).
  • Limit scripted / API tests must be rate limited to 1 request per second.

The following finding types are specifically excluded from the bounty:

  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.