• Points per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

66 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

Latest hall of famers

Recently joined this program

Our platform of secure edge services is developed in pursuit of our ultimate mission: to make the internet safe. We greatly value the hard work and genius of the internet security research community, and welcome reports of any discovered StackPath platform vulnerability.

If you identify a vulnerability in our platform please notify us right away through the methods outlined in our Vulnerability Disclosure Program. We investigate all reported vulnerabilities and resolve identified issues as quickly as possible. We appreciate your efforts and cooperation avoiding privacy violations, damaging data, or otherwise interrupting or causing a negative impact on any of our services as you conduct your research.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.


  • Perform research only within scope.
  • If you find a vulnerability that exposes customer or employee personal information, Stop testing and report the issue immediately.
  • If you gain access to any non-public application or non-public credentials, Stop testing and report the issue immediately.
  • Do not purposefully attempt to degrade systems or services during testing.
  • Collect and submit all information necessary to demonstrate the vulnerability.
  • Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the Bugcrowd submission form (do not use third party file sharing sites).
  • Only target your own account and do not attempt to access data from anyone else’s account that you do not expressly own.
  • Follow the Bugcrowd “Coordinated Disclosure” rules

Focus Areas

  • Cross Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Cross-Origin Resource Sharing (CORS)
  • Server-side Request Forgery (SSRF)
  • XML External Entities (XXE)
  • SQL Injection (SQLi)
  • Authentication related issues
  • Authorization related issues
  • Data Exposure
  • Redirection attacks
  • Remote Code Execution (RCE)
  • Clickjacking
  • Insecure Deserialization
  • Business Logic
  • Unauthorized API actions
  • Domain takeover
  • Web Application Firewall (WAF)
  • Application Denial of Service (L7 DoS)
  • Clever vulnerabilities that do not fall into the above categories

Excluded Submission Types

  • Vulnerability reports which do not include careful manual validation
  • Reports based only on results from automated tools and scanners
  • Theoretical attack vectors without proof of exploitability
  • Any customer hosted systems or services
  • Issues related to third-party vendor's
  • Social engineering / phishing
  • Attacks requiring physical access to a user's machine
  • Missing or incorrect SPF/DMARC/DKIM records

Third-party bugs

If there is no impact on StackPath servers or services, researchers will be encouraged to contact the third-party vendor directly.

This program only awards points for VRT based submissions.


In scope

Target name Type
Any host owned by StackPath Other
Any product/service offered by StackPath Other Website Website Website Website
* - Any host or services Other
* - Any host or services Other
* - Any host or services Other
* - Any host or services Other
* - Any host or services Other
* - Any host or services Other
* - Any host or services Other
<your-instance> Other

Out of scope

Target name Type
<customer> Other
* Other
* Other

Testing is only authorized on the targets listed as In-Scope. Any domain/property of StackPath not listed in the targets section is out of scope. If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting.


All of the above targets are publicly accessible, researchers are encouraged to create trial accounts to test with, or utilize any existing accounts already legally owned. Please DO NOT perform any testing against accounts you do not expressly own.

API Documentation

Additional Information:

Researchers are encouraged to check our status page for any ongoing issues that may interfere with testing.

If you have any questions regarding the StackPath program, please reach out to

Happy Hunting!

Program rules

This program follows Bugcrowd’s standard disclosure terms.