Statuspage

  • $200 – $4,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 136
  • Validation within 7 days 75% of submissions are accepted or rejected within 7 days
  • Average payout $200 within the last 3 months

Latest hall of famers

Recently joined this program

Statuspage launched in 2013 to give companies a better way to be more transparent with their customers. We recognize managing a status page outside of one’s own infrastructure can be a hassle, and hope to increase the transparency of the web by making it easier to do so.

Before you begin, please read and understand the Standard Disclosure Terms.

Below is a list of some of the vulnerability classes that we are seeking reports for:

  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
  • Path/Directory Traversal Issues

Ensure you review the out of scope and exclusions list for further details.

Accessing Statuspage

Please visit https://manage.statuspage.io/security-researcher to identify yourself as a security researcher, this will give you a free account for a month. You'll need to create an account and log in to view this page.

Disclosure Request Guidance

Submissions that meet the following requirements will be considered for disclosure upon request:

  • The submission has been accepted
  • The reported vulnerability has been fixed and released in production
  • The submission does not regard a customer instance or a customer’s account

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.