Program stats

127 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

$536.66 average payout (last 3 months)

Latest hall of famers

Recently joined this program

505 total

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Smartsheet. Every day new security issues and attack vectors are created. Smartsheet strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.


Additional Information

  • Only, domains are in scope.
  • is out of scope
  • Please do not test against the feedback form for the Early Adopter Program
  • Automated scanners MUST BE single threaded / rate limited
  • Release notes found here.

Accessing the target:

Focus Areas:

  • Account Takeovers (do not test against customer accounts)
  • Customer information disclosure and manipulation

Out of Scope

  • Phishing
  • DoS, dDoS testing

The following finding types are specifically excluded from the bounty:

Legal Stuff

As a condition of participation in this program, you hereby grant Smartsheet, its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheetin connection therewith, for any purpose.

You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.

This bounty requires explicit permission to disclose the results of a submission.


This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.