Pinterest is a place to discover ideas for all your projects and interests, hand-picked by people like you. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of findings.
Please note: Rewards caps are strict and non-negotiable
|Technical severity||Reward range|
|p1 Critical||Up to: $15,001|
|p2 Severe||$1,800 - $2,400|
|p3 Moderate||$600 - $1,000|
|p4 Low||Up to: $200|
Vulnerabilities reported on other Pinterest properties or applications not listed as 'In scope' are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our Hall of Fame.
Mobile applications can be downloaded at:
After being rewarded and patched, certain vulnerabilities on our Android mobile app may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program's Scope and Vulnerability Criteria https://www.google.com/about/appsecurity/play-rewards/
Focus Areas: These issues are of particular interest and will be considered for top rewards:
- Remote Code Execution
- Significant Authentication Bypass
- Cross Site Request Forgery on Critical Actions
- Cross Site Scripting (excluding self-XSS)
- Exfiltration of Sensitive Data or PII
Out of Scope:
- External authentication injection
- Network or resource exhaustion attacks such as DDoS are explicitly forbidden
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Pinterest not listed in the targets section is out of scope. This includes any/all subdomains not listed above. IF you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to the Pinterest org, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.
Eligibility and Responsible Disclosure
We are pleased to thank every researcher who submits valid reports that help us improve the security of Pinterest. However, only those that meet the following eligibility requirements may receive a reward:
- The vulnerability must be a qualifying vulnerability (see Scope)
- We can’t be legally prohibited from rewarding you
- You may not publicly disclose the vulnerability prior to our resolution
- Not be employed by Pinterest or its subsidiaries or related entities
Terms and Conditions
- Submitters must not access data except to the extent minimally required to identify a vulnerability; and that use of any data accessed must be limited to use for identifying and reporting the vulnerabilityYou must comply with all applicable laws in connection with your participation in this program.
- As a condition of participation in this program, you hereby grant Pinterest, its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Pinterest in connection therewith, for any purpose.
- As well, this program is not an offer of employment, nor of a contractual relationship between Pinterest and any other party. You are also responsible for any applicable taxes associated with any reward you receive. We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.
This bounty requires explicit permission to disclose the results of a submission.
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.