Socrata

  • $150 – $2,500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

171 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$875 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Socrata helps public sector organizations improve transparency, citizen service, and data-driven decision-making. Our user-friendly solutions deliver data to governments trying to reduce costs, to citizens who want to understand how their tax dollars are used, and to civic hackers dedicated to creating new apps and improving services.

We take the security of our systems seriously, and we value the security researcher community. The disclosure of security vulnerabilities by security researchers helps us ensure the security and privacy of our users and makes the Web a safer place for all.

Because our platform is built for data sharing it is worthwhile for researchers to familiarize themselves with the account permission models in place and especially with our Socrata Query Language (SoQL).


Guidelines

  • We strictly prohibit usage of Automated scanners - we have our own DAST :)
  • All testing should be limited to 0700-1800 PDT (GMT -7) - this helps our on-call staff stay sane :)
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
  • Perform research only within the scope set out below
  • Use the identified communication channels to report vulnerability information to us
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Socrata

If you follow these guidelines when reporting an issue to us we commit to:

  • Not institute a civil legal action against you and not support a criminal investigation
  • Work with you to understand and resolve the issue quickly (confirming the report within one week of submission)
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue
  • Thank you for participating and happy hunting!

Rewards

To be eligible for a reward, your submission must include clear reproduction steps and provide details around exploitability and impact. Including screenshots or providing a video is helpful as well.

Scope and rewards

Reward range

Last updated

Technical severity Reward range
p1 Critical $2,100 - $2,500
p2 Severe $1,000 - $1,250
p3 Moderate $450 - $600
p4 Low $150 - $200
P5 submissions do not receive any rewards for this program.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.