submit bug report: https://bugcrowd.com/bugcrowdBugcrowd orchestrates the creativity of the crowd to solve some of cybersecurity's toughest challenges. Our own security is our highest priority.
If you think you’ve found a security vulnerability in our systems, we invite you to report it to us via our platform. We commit to working with you to get it assessed and handled appropriately, and offer cash rewards for valid, unique vulnerability reports.
This program is for reporting potential security vulnerabilities only. If you want to report a functional bug, require assistance with a submission, or have a general question, please visit our contact page.
We’ve set up a bounty on the Bugcrowd platform called Hack Me!, where you’re welcome to hack as if on a customer’s bounty. Please do not ever test against a real customer’s bounty. As stated in our code of conduct, disruptive testing which affects other Researchers’ access to the testing environment, or adversely impacts a customer’s systems and/or accounts is prohibited.
Our bounty program adheres strictly to Bugcrowd’s Vulnerability Rating Taxonomy – a collaborative, community-driven effort to classify common security vulnerabilities and identify baseline severity ratings based on real findings across hundreds of bug bounty programs. Before submitting your vulnerability, consult the VRT to determine its severity and whether it may be eligible for a reward. Vulnerabilities with a P5 baseline rating according to the VRT are generally not eligible for a bounty. If you’d like to make a suggestion to improve the VRT, you can create an issue on GitHub.
Bonuses
When presented with especially interesting High (P2) or Critical (P1) Priority vulnerabilities – especially if our internal knowledge allows us to identify a much greater impact than what an outside researcher's proof-of-concept may have suggested on its own – we may choose to award an additional bonus amount of up to 100% of the initial reward suggested by our priority guidelines. Such bonuses are always at our discretion.
We are most interested in vulnerabilities on our core platform and infrastructure, which run on Amazon Web Services. However, if you identify a host not listed in the Targets section that you can reasonably demonstrate belongs to Bugcrowd, feel free to submit a report asking about its eligibility. Such reports will not result in a penalty, even if it turns out that the given target is ineligible. If deemed eligible, reports against such targets will be assessed on a case-by-case basis.
Authenticated testing is limited to whatever credentials you can self provision - no supplemental credentials or access will be provided for testing.
Focus Areas
At Bugcrowd, the privacy and security of clients is of paramount importance - to this end, we're now offering direct incentives if researchers are able to identify Bugcrowd clients in a programmatic fashion. For this, there are two general groupings listed below. Note that brute forcing is out of scope, as is client-leaked preview links (e.g.
https://bugcrowd.com/company?preview=a6c825b66c733a78c147bec1d51306b8), and as always, a PoC is required:
Can you programmatically enumerate all non-public Bugcrowd clients? - up to $3500
Can you programmatically enumerate some (>10) non-public Bugcrowd clients? - up to $1500 (this may be increased depending on impact)
Excluded Submission Types
Vulnerability reports lacking manual validation, such as those solely reliant on automated tools and scanners, or those that describe theoretical attack vectors without substantiated proof of exploitability, will be classified as "Not Applicable".
Rate Limiting
EXIF data not stripped from file attachments on Submissions
github.com/bugcrowd.com PRs, Issues
unless the finding revolves around credential leakage or critical impact
Out of Scope
Submissions outlining the ability for a researcher to set their username to match the format used by Bugcrowd Staff, Customers and ASE team are Out of Scope. The username alone has no effect in user permissions on our platform.
adding any variation of *_bugcrowd to the username for normal users
Non-Rewardable Targets
Our approach to rewarding vulnerabilities is based on implementing code changes. In the case of a 3rd party system where the code change falls outside our reach to fix if the vulnerability will not be up for a cash prize.
Specific areas include:
3rd party services listed below
We reserve the right to, provide rewards for exceptionally impactful and informative submissions, even if they are targeting assets that are not typically eligible for rewards. However, the highest payouts will be reserved for the explicitly listed in-scope targets.
