Statuspage

Hosted status pages for SaaS, infrastructure, and API-based companies

  • $200 – $4,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd
Submit report

Program stats

118 vulnerabilities rewarded

Validation within 17 days
75% of submissions are accepted or rejected within 17 days

$1,800 average payout (last 3 months)

Latest hall of famers

View all 336

Recently joined this program

981 total

Statuspage launched in 2013 to give companies a better way to be more transparent with their customers. We recognize managing a status page outside of one’s own infrastructure can be a hassle, and hope to increase the transparency of the web by making it easier to do so.

Before you begin, please read and understand the Standard Disclosure Terms.

Below is a list of some of the vulnerability classes that we are seeking reports for:

  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
  • Path/Directory Traversal Issues

Ensure you review the out of scope and exclusions list for further details.

Accessing Statuspage

Please visit https://manage.statuspage.io/security-researcher to identify yourself as a security researcher, this will give you a free account for a month. You'll need to create an account and log in to view this page.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.