• $200 – $4,500 per vulnerability
  • Up to $10,000 maximum reward

Program stats

  • Vulnerabilities rewarded 99
  • Validation within 2 days 75% of submissions are accepted or rejected within 2 days
  • Average payout $821.42 within the last 3 months

Latest hall of famers

Recently joined this program

1674 total

RealSelf is the leading and most trusted source for people considering an elective cosmetic treatment. More than ten years ago, we built RealSelf as the destination for people to learn about cosmetic procedures, share their experiences, and connect with top providers.

Today there are more cosmetic treatment options than ever before—from Botox to laser hair removal, microneedling to CoolSculpting. That’s why RealSelf provides unbiased information about cosmetic procedures and the doctors and clinicians who perform them. Every month, millions of RealSelf visitors research procedures and connect with highly qualified providers. RealSelf is a must-visit resource for people considering cosmetic treatments and providers seeking to connect with them. We help millions of people find the right treatment and provider for them.

RealSelf invites you to test and help secure our public-facing assets. We appreciate your efforts and hard work in making the internet (and RealSelf) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!

Our bug bounty program allows you to test the production edition of our site. This is risky business. To make sure your testing doesn't interfere with our users and cause the very problems we are trying to prevent, we ask:

  • Use a username ending in _bugc to identify yourself as a bug bounty participant, for all the accounts you create on our site
  • Use your email address for all accounts you create on our site (we support email addresses to allow you to test with several accounts)
  • Do not interact with users or content that you did not create yourself. Please contact us if you need to access other content to test something, and we will do our best to set you up with what you need.
  • Do not leave attack remnants on the site for other users to discover. If you create content that you find you cannot delete, please contact us to let us know as soon as possible.
  • Normal users must not see the data that you are posting to the systems. For example, please do not drop SQL injection attempts into the middle of live user comments and discussions.
  • Users must not be contacted or messaged in the research of an exploit, and you must not harass site users.
  • Our community managers and other staff may take actions that interfere with your testing as we defend against your attack. If this happens, contact us and we'll work out a test plan.

If we find you did not abide by these rules while testing our site, we will not award a bounty and may terminate your participation.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.