• $200 – $2,500 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

51 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$592.85 average payout (last 3 months)

Latest hall of famers

Recently joined this program

635 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

RealSelf is the leading and most trusted source for people considering an elective cosmetic treatment. More than ten years ago, we built RealSelf as the destination for people to learn about cosmetic procedures, share their experiences, and connect with top providers.

Today there are more cosmetic treatment options than ever before—from Botox to laser hair removal, microneedling to CoolSculpting. That’s why RealSelf provides unbiased information about cosmetic procedures and the doctors and clinicians who perform them. Every month, millions of RealSelf visitors research procedures and connect with highly qualified providers. RealSelf is a must-visit resource for people considering cosmetic treatments and providers seeking to connect with them. We help millions of people find the right treatment and provider for them.

RealSelf invites you to test and help secure our public-facing assets. We appreciate your efforts and hard work in making the internet (and RealSelf) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!

Our bug bounty program allows you to test the production edition of our site. This is risky business. To make sure your testing doesn't interfere with our users and cause the very problems we are trying to prevent, we ask:

  • Use a username ending in _bugc to identify yourself as a bug bounty participant, for all the accounts you create on our site
  • Use your email address for all accounts you create on our site (we support email addresses to allow you to test with several accounts)
  • Do not interact with users or content that you did not create yourself. Please contact us if you need to access other content to test something, and we will do our best to set you up with what you need.
  • Do not leave attack remnants on the site for other users to discover. If you create content that you find you cannot delete, please contact us to let us know as soon as possible.
  • Normal users must not see the data that you are posting to the systems. For example, please do not drop SQL injection attempts into the middle of live user comments and discussions.
  • Users must not be contacted or messaged in the research of an exploit, and you must not harass site users.
  • Our community managers and other staff may take actions that interfere with your testing as we defend against your attack. If this happens, contact us and we'll work out a test plan.

If we find you did not abide by these rules while testing our site, we will not award a bounty and may terminate your participation.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward range

Last updated

Technical severity Reward range
p1 Critical $2,000 - $2,500
p2 Severe $1,000 - $1,500
p3 Moderate $500 - $750
p4 Low $200 - $300
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Website Testing Website Testing API Testing API Testing Website Testing Website Testing Website Testing API Testing Other API Testing API Testing Website Testing Other
RealSelf iOS Website Testing Website Testing

Any domain not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Focus Areas:

  • Logging into another user's or doctor's account
  • Disclosure of users' information beyond what is published on our site
  • Performing actions as another user or as a doctor
  • Access to administrator functionality such as moderation actions and approvals
  • Ways to spam or harass a user
  • Denial of service against one or more users or doctors
  • Things that could make our site inaccessible
  • Attacks on our infrastructure, such as source disclosure or injection attacks
  • Remote code execution on our servers


We are not interested in reports of the following issues:

  • Scenarios where the user takes over their own account, including self-XSS
  • Spamming of RealSelf
  • Creation of accounts with false information
  • Denial-of-service attacks against RealSelf's CDN or other service providers
  • Traffic volume-based denial of service attacks
  • Issues requiring physical access to, or prior compromise of, RealSelf's premises or those of one of RealSelf's service providers
  • Social engineering of any type, including of users or RealSelf staff
  • Scenarios which require prior privileged access to a victim's device or use of development mode features in browsers
  • Scenarios where prior compromise of a user's information assets (such as their email account) allow RealSelf account takeover
  • Vulnerabilities which only disclose the existence of a user or allow user enumeration
  • Criticism of RealSelf's authentication policies (including password policies), account recovery requirements, or other customer service processes
  • Uninterpreted reports from scans indicating potential vulnerability
  • Invalid or missing DNS records including DANE, CAA, SPF, DKIM, and similar record classes
  • Issues related to software, services, and protocols not under RealSelf's control
  • Vulnerabilities which require users to use old and out-of-support client software
  • Issues without a clearly identified security impact, including the absence of unnecessary protective measures and "vulnerabilities" which when exploited do not cause any problems
  • Missing restrictive headers, flags, or tokens (including CSRF tokens) that would not mitigate any actual threat if they were present

Any service not directly hosted or controlled by RealSelf is also out of scope, some of which are listed below:


Safe Harbor Language

The language around safe harbor for this program can be found on the following page:

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.