Ensuring the security and integrity of the Twilio platform is critical to the service we provide to our customers. We are committed to providing a secure product and appreciate help from the community in responsibly identifying ways for us to improve Twilio. We will make an effort to respond as fast as possible.

Please note, Twilio continuously pushes out new code. In the event you don't find anything today, there may be something present tomorrow. This is a great opportunity for Twilio and the researcher community to work together to find vulnerabilities!

Targets

In scope

  • *.twilio.com
  • api.twilio.com
  • Any host/ web property verified to be owned by Twilio (domains/IP space/etc.)
  • *.authy.com

All Third party hosted services, such as support.twilio.com are explicitly out of scope.

Focus Areas

  • Authy API
    • Researchers should use trial accounts to test the API
  • Authy Dashboard
    • Dashboard.authy.com
    • Researchers are encouraged to create accounts with our service as part of testing
  • SIP Endoint
    • www.twilio.com/user/account/sip-trunking/trunks/add
  • SIP Endpoint
    • www.twilio.com/docs/sip
  • Video
    • Once account is created you can access and enable video here: www.twilio.com/user/account/video/getting-started
  • Twilio WebRTC Client
    • www.twilio.com/help/faw/twilio-client
    • Researchers should use trial accounts (as above) to test WebRTC Client and backend
  • Lookups API
    • www.twilio.com/docs/api/rest/lookups
  • Monitor API
    • www.twilio.com/docs/api/rest/monitor-events
  • Pricing API
    • www.twilio.com/docs/api/rest/pricing
  • Network Traversal Service
    • www.twilio.com/docs/stun-turn
  • TaskRouter
    • taskrouter.twilio.com
  • API
    • api.twilio.com
    • Researchers should use trial accounts (as above) to test API
  • Website and Account Portal
    • www/twilio.com
    • Researchers are encouraged to create accounts with our service as part of testing
  • Any Host verified to be owned by Twilio (domains / IP Space/ etc)

PLEASE NOTE:

  • Once a vulnerability is found please file a submission immediately. Our security team will investigate and assess the impact. -Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden, if you find a request that takes too long to answer report it, please do not try to DoS the service.
  • Interacting with real customers is forbidden.
  • To prevent being locked out please throttle automated testing

Reward Guidelines

The following guidelines give you an idea of what we usually pay out for different classes of bugs - for all things not listed below, this program follows the Bugcrowd VRT for prioritizing issues.

PRIORITY MIN PAYOUT MAX PAYOUT
P1 $2000 $5000
P2 $800 $1500
P3 $200 $400
P4 $100 $150

Exclusions

  • "Session too long," password reset/change logout or other intended business functionality
  • Flaws in customer applications or SDK code
  • Best practice security headers (Including Cross-Origin Resource and Host header issues) Rules
  • Bounties are awarded at the discretion of the Twilio Security Team
  • You must not interact or attempt to access any account without the account owner's permission
  • Multiple bounties will not be awarded for variations or multiple instances of the same bug
  • Duplicate entries will only be awarded to the first submission
  • WordPress related findings

This bounty follows Bugcrowd’s Standard Disclosure Terms.

Rules

This bounty follows Bugcrowd’s standard disclosure terms.