Django is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you’ve found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.
Bounty amounts are based on severity and will range from $250 to $3,000 USD.
The Fine Print
- Responsibly disclose a previously unknown vulnerability using the HackerOne platform, or directly to us while following our guidelines for reporting security issues
- The vulnerability must significantly compromise the security of a typical Django installation.
- Low priority vulnerabilities, such as Denial of Service attacks, are unlikely to qualify.
- Vulnerabilities in dependencies may qualify only if they are exploitable in the context of a typical Django installation.
- You should install Django on a server you own and test locally. Testing against a server without permission is grounds for disqualification. For help, see our Getting Started Guide
- We maintain a detailed archive of security issues to provide examples of the type of issues we’re interested in learning about.
- If you’re also a developer, you can optionally send us a patch for the issue. If we end up accepting your patch, we may add an extra bonus to your bounty depending on the complexity and completeness of the patch.
YOU MAY NOT TEST AGAINST SERVERS YOU DO NOT HAVE EXPLICIT PERMISSION TO TEST. YOU DO NOT HAVE PERMISSION TO SCAN THE DJANGOPROJECT.COM SERVERS.
IF YOU TEST AGAINST THE DJANGOPROJECT.COM SERVERS, YOU WILL NOT BE REWARDED ANY BOUNTY.
The Django team reserves the right to make the final call on the specific bounty amount for any issue, but to give you an idea of our priorities, here are some rough ranges for bounties, and the types of issues we expect would fall into each range:
Severe issues: $2000 - $3000
- Remote code execution
- SQL injection
Moderate issues: $500 - $2000
- Broken authentication
Low severity issues: $250 - $1000
- Sensitive data exposure
- Broken session management
- Unvalidated redirects/forwards
- Issues requiring an uncommon configuration option
No Reward: $0
- Any behavior which is clearly documented
- Any behavior which is the result of deliberate misconfiguration
- Issues in third-party libraries (please report issues directly to the maintainers)
- Issues discovered while scanning without permission
- The OPTIONS header