bug bounty disclosure program

The software security research community makes the web a better, safer place. supports their bug-hunting efforts with a bounty program.

To report a vulnerability, please email the team at Be sure to include "bug bounty disclosure" in the subject line.

Qualifying vulnerabilities

The following domains and apps are within the scope of the program:

  • *
  • *
  • Mobile for iOS
  • Mobile for Android

To be eligible, you must demonstrate a security compromise on any of these domains using a reproducible exploit, including the following:

  • Cross-site request forgery exploits
  • Authentication or authorization flaws
  • Official mobile apps or API flaws
  • Server-side code execution bugs
  • Injection flaws
  • Significant security misconfigurations

NOT XSS (usually): Experience has shown that reports of cross-site scripting (XSS) vulnerabilities are often NOT ELIGIBLE for bounty payments because they do not support an actual exploit in's environment. If you found an XSS vulnerability please send it in, but time might be better spent looking for  qualifying vulnerabilities listed above.

Rules for eligibility

  • Don’t make the bug public before it has been fixed.
  • Don’t attempt to gain access to another user’s account or data. Use your own test accounts for cross-account testing.
  • Don’t perform any attack that could harm the reliability/integrity of services or data. DDoS/spam attacks are not allowed.
  • Only test for vulnerabilities on sites or apps you know are operated by Some sites hosted on subdomains of are operated by third parties and should not be tested.
  • Do not impact other users with your testing. This includes testing for vulnerabilities in accounts you do not own. 
  • Don’t use scanners or automated tools to find vulnerabilities. 
  • No non-technical attacks such as social engineering, phishing, or physical attacks against employees, users, or infrastructure.
  • The more thorough the proof-of-concept, the higher the chance a payout will be awarded.
  • When in doubt, contact staff at staff will respond as quickly as possible to your submission, and will keep you updated as the bug is verified and fixed.


Note: deals only with principals, not vulnerability brokers. If you reside in a country on a United States restricted export control list, or are on a United States state or federal criminal wanted list or restricted export control list, you may not be eligible to participate in this program. staff will make the final decision on bug eligibility and value. This program exists entirely at the discretion of the owner of and may be modified or canceled at any time. Any changes made to this program's terms do not apply retroactively. Thank you for helping to make more secure.


Serving the world's largest community of translators, delivers a comprehensive network of essential services, resources and experiences that enhance the lives of its members.

Learn more » Headquarters

+1 (315) 463-7323

P.O. Box 903
Syracuse, NY 13201