Bug Bounty Programs

We have been asked by T-Mobile to discontinue the use of all automated vulnerability scanners on their program. Custom scripts and fuzzing tools are still permitted, but if using them, please keep your traffic to 5 requests per second or less.

Please also include the following request headers to your traffic: X-Bug-Bounty:BugCrowd-<username>

Failure to comply may result program removal.

Additionally, it’s worth noting that the client already runs automated scans against the in-scope targets – so using these tools is likely of minimal utility to researchers. As such, please avoid using them unless for targeted, specific testing, and then only at less than 5 requests per second. Thanks!

If you have any questions, please reach out to support@bugcrowd.com for any clarification on why scanners are no longer allowed.