Ensuring the security and integrity of the Twilio platform is critical to the service we provide to our customers. We are committed to providing a secure product and appreciate help from the community in responsibly identifying ways for us to improve Twilio. We will make an effort to respond as fast as possible.

Targets

In scope

  • Twimlbin -- twimlbin.com
  • Authy API-- api.authy.com - Researchers should use trial accounts (as above) to test the API
  • Authy Dashboard -- dashboard.authy.com - Researchers are encouraged to create accounts with our service as part of testing
  • SIP endpoint -- www.twilio.com/user/account/sip-trunking/trunks/add
  • SIP endpoint -- www.twilio.com/docs/sip
  • Video -- Once an account is created you can access and enable video here: www.twilio.com/user/account/video/getting-started
  • Twilio WebRTC Client -- www.twilio.com/help/faq/twilio-client (Researchers should use trial accounts (as above) to test the WebRTC Client and Backend)
  • Lookups API -- www.twilio.com/docs/api/rest/lookups
  • Monitor API -- www.twilio.com/docs/api/rest/monitor-events
  • Pricing API -- www.twilio.com/docs/api/rest/pricing
  • Network Traversal Service -- www.twilio.com/docs/stun-turn
  • TaskRouter -- taskrouter.twilio.com
  • API -- api.twilio.com - Researchers should use trial accounts (as above) to test the API
  • Website and Account Portal -- www.twilio.com/ (Users are encouraged to create accounts with our service as part of testing.)

All testing and disclosure must follow the Bugcrowd Standard Disclosure Terms (https://bugcrowd.com/resources/standard-disclosure-terms)

NOTE: Once a vulnerability is found please file a submission immediately. Our security team will investigate and assess the impact.

NOTE: Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden, if you find a request that takes too long to answer report it, please do not try to DoS the service.

Interacting with real customers is forbidden.

To prevent being locked out please throttle automated testing

Reward Guidelines

P1 – CRITICAL (Awarded at or above $2,000)
Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc.
Examples:
- Remote Code Execution in the API, TWiML or on other Twilio Services
- SQL Injection
- User authentication bypass
- Unauthorized cross-account Access or Data (Note Bounty Rules Below)

P2 – HIGH (Awarded at $1,000 +/- depending on impact)
Vulnerabilities that affect the security of the platform including the processes it supports. Examples:
- Lateral authentication bypass,
- Stored XSS (Against another account)
- Moderate Account/Authentication/Session issues (Such as 2FA Bypass)
- Direct object reference (Allowing unauthorized access)
- Bugs which are novel and have a tangible security impact

P3/P4 – MEDIUM/LOW (Awarded up to $500)
Vulnerabilities that affect small-medium numbers of users,
Examples:
- Reflective or Stored XSS
- URL Redirect, some CSRF depending on impact
- Authenticated CSRF, depending on impact.
- SSL/Cipher Issues with tangible security impact.

P5 – Won’t Fix
Non-exploitable weaknesses and “won’t fix” vulnerabilities. Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

- Bounties are awarded at the discretion of the Twilio Security Team
- You must not interact or attempt to access any account without the account owner's permission
- Multiple bounties will not be awarded for variations or multiple instances of the same bug
- Duplicate entries will only be awarded to the first submission

Submissions that will not be eligible for a reward:
- Phishing or Social Engineering Techniques
- Best Practice SSL, Ciphers or other configurational items
- Any bugs reliant on a user sharing their login credentials with an attacker or an attacker already with user account access
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Login Page / Forgot Password Page Account Brute force or account lockout not enforced
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking and issues only exploitable through clickjacking
- Self-XSS and issues exploitable only through Self-XSS
- CSRF on forms that are available to anonymous users (e.g. the contact form)
- Logout Cross-Site Request Forgery (logout CSRF)
- Presence of application or web browser ‘autocomplete’ or ‘save password'
- "Session too long,” password reset/change logout or other intended business functionality
- Flaws in customer applications or SDK code
- Third party hosted services, such as support.twilio.com
- Best practice security headers (Including Cross-Origin Resource and Host header issues)