Twilio

  • $100 – $5,000 per vulnerability
  • Up to $10,000 maximum reward
  • Managed by Bugcrowd

Program stats

258 vulnerabilities rewarded

Validation within 3 days
75% of submissions are accepted or rejected within 3 days

$305 average payout (last 3 months)

Latest hall of famers

Recently joined this program

907 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Ensuring the security and integrity of the Twilio platform is critical to the service we provide to our customers. We are committed to providing a secure product and appreciate help from the community in responsibly identifying ways for us to improve Twilio. We will make an effort to respond as fast as possible.

This program follows the Bugcrowd VRT for prioritizing submissions

Twilio Flex Bonus!

From December 5- Dec 31, 2019 Twilio is running a special bonus for flex.twilio.com or any feature exclusively introduced for Flex is in scope. During this time, researchers will earn 2x rewards on all advertised priority levels, for all submissions related to these assets! To get started with Flex, and to learn more about the product, please view the product docs here. Note: Please only do testing against accounts which you own; if you want to check for cross-account attacks, you may create multiple accounts.

$ Flex
P1 $4,000 - $10,000
P2 $1,600 - $3,000
P3 $400 - $800
P4 $200 - $300

Reward Range

Last updated
Technical severity Reward range
p1 Critical $2,000 - $5,000
p2 Severe $800 - $1,500
p3 Moderate $200 - $400
p4 Low $100 - $150
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
*.authy.com Other
Any host/ web property verified to be owned by Twilio (domains/IP space/etc.) Other
api.twilio.com API
*.twilio.com Website
*.flex.twilio.com Website
Twilio Safe Harbor

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with Twilio's bug bounty policy, Twilio will take steps to make it known that your actions were conducted in compliance with this policy.

Please submit a BugCrowd report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy

Out of Scope

  • All Third party hosted services, such as support.twilio.com are explicitly out of scope.
  • Ytica and its assets are explicitly out of scope.
  • SendGrid and its assets are explicitly out of scope.

Ground Rules

  • Once a vulnerability is found please file a submission immediately. Our security team will investigate and assess the impact.
  • Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden, if you find a request that takes too long to answer report it, please do not try to DoS the service.
  • Interacting with real customers is forbidden.
  • To prevent being locked out please throttle automated testing
  • Please note, if you think you have found a problem but cannot prove it without accessing Twilio's Internal Systems, please submit your finding and we'll be happy to work with you for validation.

Focus Areas

  • Authy
    • API (Researchers should use trial accounts to test the API)
    • All Authy applications (iOS, Android, Chrome App, OSx and Windows)
    • Researchers are encouraged to create accounts with our service as part of testing
  • SIP Endoint
    • www.twilio.com/user/account/sip-trunking/trunks/add
  • SIP Endpoint
    • www.twilio.com/docs/sip
  • Video
    • Once account is created you can access and enable video here: www.twilio.com/user/account/video/getting-started
  • Twilio WebRTC Client
    • www.twilio.com/help/faw/twilio-client
    • Researchers should use trial accounts (as above) to test WebRTC Client and backend
  • Lookups API
    • www.twilio.com/docs/api/rest/lookups
  • Monitor API
    • www.twilio.com/docs/api/rest/monitor-events
  • Pricing API
    • www.twilio.com/docs/api/rest/pricing
  • Network Traversal Service
    • www.twilio.com/docs/stun-turn
  • TaskRouter
    • taskrouter.twilio.com
  • API
    • api.twilio.com
    • Researchers should use trial accounts (as above) to test API
  • Website and Account Portal
    • www.twilio.com
    • Researchers are encouraged to create accounts with our service as part of testing
  • Any Host verified to be owned by Twilio (domains / IP Space/ etc)
Please note, Twilio continuously pushes out new code. In the event you don't find anything today, there may be something present tomorrow. This is a great opportunity for Twilio and the researcher community to work together to find vulnerabilities!

Exclusions

  • "Session too long," password reset/change logout or other intended business functionality
  • Flaws in customer applications or SDK code
  • Best practice security headers (Including Cross-Origin Resource and Host header issues) Rules
  • Bounties are awarded at the discretion of the Twilio Security Team
  • You must not interact or attempt to access any account without the account owner's permission
  • Multiple bounties will not be awarded for variations or multiple instances of the same bug
  • Duplicate entries will only be awarded to the first submission
  • WordPress related findings
  • TwimlBin related findings
  • store.twilio.com
  • Flash findings that require Flash to be enabled (especially XSS requiring extra clicks in modern browsers) will be P4 or P5 depending on the domain
  • OpenVBX related findings
  • BeepSend Subdomain Takeovers [Temporary Exclusion]
  • Subdomain takeovers of TLD's used for demo or test purposes only [such as companyfoo.com]
  • Demo websites e.g. lab.authy.com
  • All Kurento domains
  • twiliotraining.com

This bounty follows Bugcrowd’s Standard Disclosure Terms.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.