[{"id":3767338,"new_policy":"#Program Policy\nPlay by the rules. This includes following this policy (\"Policy\"), HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and any other relevant agreements.\n\nTest only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners. \n\nProvide us a reasonable amount of time to resolve the issue. We usually set the following terms for fixes: Low impact - 3 months, Medium impact - 1 month, High/Critical impact - up to 2 weeks for a fully functional fix. However, sometimes it could take more time. Please be patient, you will receive updates when, and if, there will be anything to share. \n\nYou have to avoid privacy violations, destruction of data, and interruption or degradation of our service.\nWe only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\nWhile researching, we'd like to ask you to refrain from:\n+ Denial of service.\n+ Spamming.\n+ Social engineering (including phishing) of Semrush staff or contractors.\n+ Any physical attempts against Semrush property or data centers.\n\nWe do not accept the following types of bugs:\n+ CSRF without clear impact.\n+ Any issues related to software not under Semrush’s control.\n+ Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues.\n+ SSL/TLS best practices that do not contain a fully functional proof of concept.\n+ Broken links. Except links to social accounts of Semrush employees - ineligible for bounty\n+ Bugs that do not represent any security risk - these should be reported to mail@semrush.com.\n\nThe following bugs are unlikely to be eligible for a bounty:\n+ Missing DNSSEC settings.\n+ Attacks requiring physical access to a user's device.\n+ Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages.\n+ Brute Force attacks.\n+ Issues related to Password Policy - strength, length, lockouts.\n+ Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD).\n+ Tab nabbing and window.opener-related issues\n+ Vulnerabilities affecting users of outdated browsers, plugins, or platforms.\n+ Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected.\n+ Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS).\nIDN homograph attacks.\n+ Semrush user’s API-keys and credentials found on any third party services.\n+ Issues found in third party software used by Semrush with the exception of misconfigured 3rd party services. \n+ Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis\n+ Public Zero-day vulnerabilities that have been publicly disclosed for less than 72 hours\n\n#@wearehackerone.com email and custom header\nWhenever possible, please use your [@wearehackerone.com](https://docs.hackerone.com/hackers/hacker-email-alias.html) account (this may stop our fraud team from blocking your account and our Security team may set a bonus for a valid and detailed report), and set a header with your HackerOne username in your requests: ==X-hackerone: \u003ch1 username\u003e==.\nYou can do that with [Burp addon](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) or through Match and Replace option:\n1. Go to Proxy -\u003e Options -\u003e Match and Replace -\u003e Add\n2. Change Type to Request Header\n3. As the default text says in Match 'leave blank to add a new header'\n4. Put the new header in Replace\n\n#Legal Terms and Safe Harbor\nIn connection with your participation in this program, you agree to comply with [Semrush’s Terms of Service](https://www.semrush.com/company/legal/terms-of-service/) (\"Terms\") and [Semrush’s Privacy Policy](https://www.semrush.com/company/legal/privacy-policy/).\n\nSemrush employees and contractors are not eligible to receive bounties or rewards of any kind.\n\nWhen conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be:\n+ Authorized by Semrush and authorized in view of any applicable anti-hacking laws;\n+ Authorized in view of relevant anti-circumvention laws; and\n+ Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n\nWithin the framework of the program described in this Policy, we will take reasonable steps not to initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability provided that the researcher fully complies with this Policy, HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and with all applicable laws and regulations. \n\nYou are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own.\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels (HackerOne or via security@semrush.com) before going any further.\n\n#Rewards\nWhen duplicates occur, we award the first report that we can completely reproduce.\n\nWe allow our hackers to split the bounty.\n\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\nWe award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.\n\nWe will reward reports according to the severity of their impact (calculated with CVSS v3.0 Calculator) on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation. \n\n#Disclosure Policy\nVulnerabilities must be disclosed only according to HackerOne’s Disclosure Guidelines. \nRequests for vulnerability disclosure must be submitted via the HackerOne report interface. We will discuss internally if we need to make a limited disclosure. Usually, we make a full disclosure, after redacting sensitive information, therefore if you need to make a limited disclosure for some reasons please drop us a line. \n\n#Report\n\"Scanner output\" or scanner-generated reports will not be accepted. Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\nIf you are going to submit a subdomain takeover report: to make sure that you have a full domain takeover (as h1 recommends) we have to get a screenshot with our domain (for ex. *.semrush.com) and custom HTTP content (for example h1 username) to be sure it's possible.\n\n#Promo-code\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid Semrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at the quality of reports you previously sent us. The promo code can not be issued more than once every three months. The final decision on issuing a promo-code rests with the Semrush security team.\n\n#WAF and reactive protection\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporarily add your IP to the white list.\n\nWe believe monitoring and protecting processes must not be impacted by bug bounty. Automated security scans and tests may trigger our security systems and result in reactive measures being enforced, e.g. account or IP may be blocked. \n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - to test auth issues change API key, not cookies. \n\nPlease note that API key’s security and confidentiality are the user's responsibility as stated in our Terms. \n\n#Leaked/compromised Employee accounts (Main Scope)\nIf you discover credentials associated with our employee or service accounts that appear to be compromised, please notify us immediately.\n\nReports will be considered if they meet the following criteria:\n- Account Validity: The account must belong to a current and active employee of our company.\n- Non-Duplication: The report must involve a unique incident that has not been previously submitted.\n- Severity Assessment: Accepted reports will typically be classified with a **Low** to **Medium** severity level, based on factors such as account configuration, data accessibility, and the relevant environment.\n\nTo assist in our investigation, please provide as much information as possible about the compromised credentials, such as the date of compromise, associated hostname, and any relevant identifiers.\nIf you encounter credentials but are unsure about the severity level or account type, please report the details for our evaluation.\n\nPlease be aware of the following restrictions:\n- Customer Accounts: Investigating or targeting customer accounts is strictly prohibited.\n- Targeting employees: Any kind of direct or indirect communication with our employees is not allowed, in line with the [Platform Code Of Conduct](https://www.hackerone.com/policies/code-of-conduct). \n\n#Other Semrush Related Asset (Second Scope)\nPlease use this Asset tag for any **High** and **Critical ** report that does not relate directly to another Semrush asset listed in scope, and is also NOT listed under the \"Out of Scope\" section.\nPlease note, that Semrush will only accept and review valid high and critical severity reports within that specific scope.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-12T14:54:30.883Z"},{"id":3735951,"new_policy":"#Program Policy\nPlay by the rules. This includes following this policy (\"Policy\"), HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and any other relevant agreements.\n\nTest only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners. \n\nProvide us a reasonable amount of time to resolve the issue. We usually set the following terms for fixes: Low impact - 3 months, Medium impact - 1 month, High/Critical impact - up to 2 weeks for a fully functional fix. However, sometimes it could take more time. Please be patient, you will receive updates when, and if, there will be anything to share. \n\nYou have to avoid privacy violations, destruction of data, and interruption or degradation of our service.\nWe only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\nWhile researching, we'd like to ask you to refrain from:\n+ Denial of service.\n+ Spamming.\n+ Social engineering (including phishing) of Semrush staff or contractors.\n+ Any physical attempts against Semrush property or data centers.\n\nWe do not accept the following types of bugs:\n+ CSRF without clear impact.\n+ Any issues related to software not under Semrush’s control.\n+ Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues.\n+ SSL/TLS best practices that do not contain a fully functional proof of concept.\n+ Broken links. Except links to social accounts of Semrush employees - ineligible for bounty\n+ Bugs that do not represent any security risk - these should be reported to mail@semrush.com.\n\nThe following bugs are unlikely to be eligible for a bounty:\n+ Missing DNSSEC settings.\n+ Attacks requiring physical access to a user's device.\n+ Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages.\n+ Brute Force attacks.\n+ Issues related to Password Policy - strength, length, lockouts.\n+ Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD).\n+ Tab nabbing and window.opener-related issues\n+ Vulnerabilities affecting users of outdated browsers, plugins, or platforms.\n+ Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected.\n+ Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS).\nIDN homograph attacks.\n+ Semrush user’s API-keys and credentials found on any third party services.\n+ Issues found in third party software used by Semrush with the exception of misconfigured 3rd party services. \n\n#@wearehackerone.com email and custom header\nWhenever possible, please use your [@wearehackerone.com](https://docs.hackerone.com/hackers/hacker-email-alias.html) account (this may stop our fraud team from blocking your account and our Security team may set a bonus for a valid and detailed report), and set a header with your HackerOne username in your requests: ==X-hackerone: \u003ch1 username\u003e==.\nYou can do that with [Burp addon](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) or through Match and Replace option:\n1. Go to Proxy -\u003e Options -\u003e Match and Replace -\u003e Add\n2. Change Type to Request Header\n3. As the default text says in Match 'leave blank to add a new header'\n4. Put the new header in Replace\n\n#Legal Terms and Safe Harbor\nIn connection with your participation in this program, you agree to comply with [Semrush’s Terms of Service](https://www.semrush.com/company/legal/terms-of-service/) (\"Terms\") and [Semrush’s Privacy Policy](https://www.semrush.com/company/legal/privacy-policy/).\n\nSemrush employees and contractors are not eligible to receive bounties or rewards of any kind.\n\nWhen conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be:\n+ Authorized by Semrush and authorized in view of any applicable anti-hacking laws;\n+ Authorized in view of relevant anti-circumvention laws; and\n+ Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n\nWithin the framework of the program described in this Policy, we will take reasonable steps not to initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability provided that the researcher fully complies with this Policy, HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and with all applicable laws and regulations. \n\nYou are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own.\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels (HackerOne or via security@semrush.com) before going any further.\n\n#Rewards\nWhen duplicates occur, we award the first report that we can completely reproduce.\n\nWe allow our hackers to split the bounty.\n\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\nWe award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.\n\nWe will reward reports according to the severity of their impact (calculated with CVSS v3.0 Calculator) on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation. \n\n#Disclosure Policy\nVulnerabilities must be disclosed only according to HackerOne’s Disclosure Guidelines. \nRequests for vulnerability disclosure must be submitted via the HackerOne report interface. We will discuss internally if we need to make a limited disclosure. Usually, we make a full disclosure, after redacting sensitive information, therefore if you need to make a limited disclosure for some reasons please drop us a line. \n\n#Report\n\"Scanner output\" or scanner-generated reports will not be accepted. Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\nIf you are going to submit a subdomain takeover report: to make sure that you have a full domain takeover (as h1 recommends) we have to get a screenshot with our domain (for ex. *.semrush.com) and custom HTTP content (for example h1 username) to be sure it's possible.\n\n#Promo-code\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid Semrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at the quality of reports you previously sent us. The promo code can not be issued more than once every three months. The final decision on issuing a promo-code rests with the Semrush security team.\n\n#WAF and reactive protection\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporarily add your IP to the white list.\n\nWe believe monitoring and protecting processes must not be impacted by bug bounty. Automated security scans and tests may trigger our security systems and result in reactive measures being enforced, e.g. account or IP may be blocked. \n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - to test auth issues change API key, not cookies. \n\nPlease note that API key’s security and confidentiality are the user's responsibility as stated in our Terms. \n\n#Leaked/compromised Employee accounts (Main Scope)\nIf you discover credentials associated with our employee or service accounts that appear to be compromised, please notify us immediately.\n\nReports will be considered if they meet the following criteria:\n- Account Validity: The account must belong to a current and active employee of our company.\n- Non-Duplication: The report must involve a unique incident that has not been previously submitted.\n- Severity Assessment: Accepted reports will typically be classified with a **Low** to **Medium** severity level, based on factors such as account configuration, data accessibility, and the relevant environment.\n\nTo assist in our investigation, please provide as much information as possible about the compromised credentials, such as the date of compromise, associated hostname, and any relevant identifiers.\nIf you encounter credentials but are unsure about the severity level or account type, please report the details for our evaluation.\n\nPlease be aware of the following restrictions:\n- Customer Accounts: Investigating or targeting customer accounts is strictly prohibited.\n- Targeting employees: Any kind of direct or indirect communication with our employees is not allowed, in line with the [Platform Code Of Conduct](https://www.hackerone.com/policies/code-of-conduct). \n\n#Other Semrush Related Asset (Second Scope)\nPlease use this Asset tag for any **High** and **Critical ** report that does not relate directly to another Semrush asset listed in scope, and is also NOT listed under the \"Out of Scope\" section.\nPlease note, that Semrush will only accept and review valid high and critical severity reports within that specific scope.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-13T11:34:13.946Z"},{"id":3735949,"new_policy":"#Program Policy\nPlay by the rules. This includes following this policy (\"Policy\"), HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and any other relevant agreements.\n\nTest only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners. \n\nProvide us a reasonable amount of time to resolve the issue. We usually set the following terms for fixes: Low impact - 3 months, Medium impact - 1 month, High/Critical impact - up to 2 weeks for a fully functional fix. However, sometimes it could take more time. Please be patient, you will receive updates when, and if, there will be anything to share. \n\nYou have to avoid privacy violations, destruction of data, and interruption or degradation of our service.\nWe only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\nWhile researching, we'd like to ask you to refrain from:\n+ Denial of service.\n+ Spamming.\n+ Social engineering (including phishing) of Semrush staff or contractors.\n+ Any physical attempts against Semrush property or data centers.\n\nWe do not accept the following types of bugs:\n+ CSRF without clear impact.\n+ Any issues related to software not under Semrush’s control.\n+ Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues.\n+ SSL/TLS best practices that do not contain a fully functional proof of concept.\n+ Broken links. Except links to social accounts of Semrush employees - ineligible for bounty\n+ Bugs that do not represent any security risk - these should be reported to mail@semrush.com.\n\nThe following bugs are unlikely to be eligible for a bounty:\n+ Missing DNSSEC settings.\n+ Attacks requiring physical access to a user's device.\n+ Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages.\n+ Brute Force attacks.\n+ Issues related to Password Policy - strength, length, lockouts.\n+ Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD).\n+ Tab nabbing and window.opener-related issues\n+ Vulnerabilities affecting users of outdated browsers, plugins, or platforms.\n+ Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected.\n+ Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS).\nIDN homograph attacks.\n+ Semrush user’s API-keys and credentials found on any third party services.\n+ Issues found in third party software used by Semrush with the exception of misconfigured 3rd party services. \n\n#@wearehackerone.com email and custom header\nWhenever possible, please use your [@wearehackerone.com](https://docs.hackerone.com/hackers/hacker-email-alias.html) account (this may stop our fraud team from blocking your account and our Security team may set a bonus for a valid and detailed report), and set a header with your HackerOne username in your requests: ==X-hackerone: \u003ch1 username\u003e==.\nYou can do that with [Burp addon](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) or through Match and Replace option:\n1. Go to Proxy -\u003e Options -\u003e Match and Replace -\u003e Add\n2. Change Type to Request Header\n3. As the default text says in Match 'leave blank to add a new header'\n4. Put the new header in Replace\n\n#Legal Terms and Safe Harbor\nIn connection with your participation in this program, you agree to comply with [Semrush’s Terms of Service](https://www.semrush.com/company/legal/terms-of-service/) (\"Terms\") and [Semrush’s Privacy Policy](https://www.semrush.com/company/legal/privacy-policy/).\n\nSemrush employees and contractors are not eligible to receive bounties or rewards of any kind.\n\nWhen conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be:\n+ Authorized by Semrush and authorized in view of any applicable anti-hacking laws;\n+ Authorized in view of relevant anti-circumvention laws; and\n+ Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n\nWithin the framework of the program described in this Policy, we will take reasonable steps not to initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability provided that the researcher fully complies with this Policy, HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and with all applicable laws and regulations. \n\nYou are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own.\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels (HackerOne or via security@semrush.com) before going any further.\n\n#Rewards\nWhen duplicates occur, we award the first report that we can completely reproduce.\n\nWe allow our hackers to split the bounty.\n\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\nWe award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.\n\nWe will reward reports according to the severity of their impact (calculated with CVSS v3.0 Calculator) on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation. \n\n#Disclosure Policy\nVulnerabilities must be disclosed only according to HackerOne’s Disclosure Guidelines. \nRequests for vulnerability disclosure must be submitted via the HackerOne report interface. We will discuss internally if we need to make a limited disclosure. Usually, we make a full disclosure, after redacting sensitive information, therefore if you need to make a limited disclosure for some reasons please drop us a line. \n\n#Report\n\"Scanner output\" or scanner-generated reports will not be accepted. Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\nIf you are going to submit a subdomain takeover report: to make sure that you have a full domain takeover (as h1 recommends) we have to get a screenshot with our domain (for ex. *.semrush.com) and custom HTTP content (for example h1 username) to be sure it's possible.\n\n#Promo-code\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid Semrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at the quality of reports you previously sent us. The promo code can not be issued more than once every three months. The final decision on issuing a promo-code rests with the Semrush security team.\n\n#WAF and reactive protection\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporarily add your IP to the white list.\n\nWe believe monitoring and protecting processes must not be impacted by bug bounty. Automated security scans and tests may trigger our security systems and result in reactive measures being enforced, e.g. account or IP may be blocked. \n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - to test auth issues change API key, not cookies. \n\nPlease note that API key’s security and confidentiality are the user's responsibility as stated in our Terms. \n\n#Leaked/compromised Employee accounts (Main Scope)\nIf you discover credentials associated with our employee or service accounts that appear to be compromised, please notify us immediately.\n\nReports will be considered if they meet the following criteria:\n- Account Validity: The account must belong to a current and active employee of our company.\n- Non-Duplication: The report must involve a unique incident that has not been previously submitted.\n- Severity Assessment: Accepted reports will typically be classified with a **Low** to **Medium** severity level, based on factors such as account configuration, data accessibility, and the relevant environment.\n\nTo assist in our investigation, please provide as much information as possible about the compromised credentials, such as the date of compromise, associated hostname, and any relevant identifiers.\nIf you encounter credentials but are unsure about the severity level or account type, please report the details for our evaluation.\n\nPlease be aware of the following restrictions:\n- Customer Accounts: Investigating or targeting customer accounts is strictly prohibited.\n- Targeting employees: Any kind of direct or indirect communication with our employees is not allowed, in line with the [Platform Code Of Conduct](https://www.hackerone.com/policies/code-of-conduct). \n\n#Other Semrush Related Asset (Second Scope)\nPlease use this Asset tag for any **High** and **Critical ** report that does not relate directly to another Semrush asset listed in scope, and is also NOT listed under the \"Out of Scope\" section.\nPlease note, that Semrush will only accept and review valid high and critical severity reports within that specific scope.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-13T11:28:41.021Z"},{"id":3664219,"new_policy":"#Program Policy\nPlay by the rules. This includes following this policy (\"Policy\"), HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and any other relevant agreements.\n\nTest only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners. \n\nProvide us a reasonable amount of time to resolve the issue. We usually set the following terms for fixes: Low impact - 3 months, Medium impact - 1 month, High/Critical impact - up to 2 weeks for a fully functional fix. However, sometimes it could take more time. Please be patient, you will receive updates when, and if, there will be anything to share. \n\nYou have to avoid privacy violations, destruction of data, and interruption or degradation of our service.\nWe only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\nWhile researching, we'd like to ask you to refrain from:\n+ Denial of service.\n+ Spamming.\n+ Social engineering (including phishing) of Semrush staff or contractors.\n+ Any physical attempts against Semrush property or data centers.\n\nWe do not accept the following types of bugs:\n+ CSRF without clear impact.\n+ Any issues related to software not under Semrush’s control.\n+ Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues.\n+ SSL/TLS best practices that do not contain a fully functional proof of concept.\n+ Broken links. Except links to social accounts of Semrush employees - ineligible for bounty\n+ Bugs that do not represent any security risk - these should be reported to mail@semrush.com.\n\nThe following bugs are unlikely to be eligible for a bounty:\n+ Missing DNSSEC settings.\n+ Attacks requiring physical access to a user's device.\n+ Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages.\n+ Brute Force attacks.\n+ Issues related to Password Policy - strength, length, lockouts.\n+ Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD).\n+ Tab nabbing and window.opener-related issues\n+ Vulnerabilities affecting users of outdated browsers, plugins, or platforms.\n+ Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected.\n+ Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS).\nIDN homograph attacks.\n+ Semrush user’s API-keys and credentials found on any third party services.\n+ Issues found in third party software used by Semrush with the exception of misconfigured 3rd party services. \n\n#@wearehackerone.com email and custom header\nWhenever possible, please use your [@wearehackerone.com](https://docs.hackerone.com/hackers/hacker-email-alias.html) account (this may stop our fraud team from blocking your account and our Security team may set a bonus for a valid and detailed report), and set a header with your HackerOne username in your requests: ==X-hackerone: \u003ch1 username\u003e==.\nYou can do that with [Burp addon](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) or through Match and Replace option:\n1. Go to Proxy -\u003e Options -\u003e Match and Replace -\u003e Add\n2. Change Type to Request Header\n3. As the default text says in Match 'leave blank to add a new header'\n4. Put the new header in Replace\n\n#Legal Terms and Safe Harbor\nIn connection with your participation in this program, you agree to comply with [Semrush’s Terms of Service](https://www.semrush.com/company/legal/terms-of-service/) (\"Terms\") and [Semrush’s Privacy Policy](https://www.semrush.com/company/legal/privacy-policy/).\n\nSemrush employees and contractors are not eligible to receive bounties or rewards of any kind.\n\nWhen conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be:\n+ Authorized by Semrush and authorized in view of any applicable anti-hacking laws;\n+ Authorized in view of relevant anti-circumvention laws; and\n+ Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n\nWithin the framework of the program described in this Policy, we will take reasonable steps not to initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability provided that the researcher fully complies with this Policy, HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and with all applicable laws and regulations. \n\nYou are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own.\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels (HackerOne or via security@semrush.com) before going any further.\n\n#Rewards\nWhen duplicates occur, we award the first report that we can completely reproduce.\n\nWe allow our hackers to split the bounty.\n\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\nWe award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.\n\nWe will reward reports according to the severity of their impact (calculated with CVSS v3.0 Calculator) on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation. \n\n#Disclosure Policy\nVulnerabilities must be disclosed only according to HackerOne’s Disclosure Guidelines. \nRequests for vulnerability disclosure must be submitted via the HackerOne report interface. We will discuss internally if we need to make a limited disclosure. Usually, we make a full disclosure, after redacting sensitive information, therefore if you need to make a limited disclosure for some reasons please drop us a line. \n\n#Report\n\"Scanner output\" or scanner-generated reports will not be accepted. Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\nIf you are going to submit a subdomain takeover report: to make sure that you have a full domain takeover (as h1 recommends) we have to get a screenshot with our domain (for ex. *.semrush.com) and custom HTTP content (for example h1 username) to be sure it's possible.\n\n#Promo-code\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid Semrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at the quality of reports you previously sent us. The promo code can not be issued more than once every three months. The final decision on issuing a promo-code rests with the Semrush security team.\n\n#WAF and reactive protection\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporarily add your IP to the white list.\n\nWe believe monitoring and protecting processes must not be impacted by bug bounty. Automated security scans and tests may trigger our security systems and result in reactive measures being enforced, e.g. account or IP may be blocked. \n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - to test auth issues change API key, not cookies. \n\nPlease note that API key’s security and confidentiality are the user's responsibility as stated in our Terms. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-12T15:50:37.150Z"},{"id":3652161,"new_policy":"#Program Policy\nPlay by the rules. This includes following this policy (\"Policy\"), HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and any other relevant agreements.\n\nTest only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners. \n\nProvide us a reasonable amount of time to resolve the issue. We usually set the following terms for fixes: Low impact - 3 months, Medium impact - 1 month, High/Critical impact - up to 2 weeks for a fully functional fix. However, sometimes it could take more time. Please be patient, you will receive updates when, and if, there will be anything to share. \n\nYou have to avoid privacy violations, destruction of data, and interruption or degradation of our service.\nWe only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\nWhile researching, we'd like to ask you to refrain from:\n+ Denial of service.\n+ Spamming.\n+ Social engineering (including phishing) of Semrush staff or contractors.\n+ Any physical attempts against Semrush property or data centers.\n\nWe do not accept the following types of bugs:\n+ CSRF without clear impact.\n+ Any issues related to software not under Semrush’s control.\n+ Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues.\n+ SSL/TLS best practices that do not contain a fully functional proof of concept.\n+ Broken links to social accounts\n+ Bugs that do not represent any security risk - these should be reported to mail@semrush.com.\n\nThe following bugs are unlikely to be eligible for a bounty:\n+ Missing DNSSEC settings.\n+ Attacks requiring physical access to a user's device.\n+ Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages.\n+ Brute Force attacks.\n+ Issues related to Password Policy - strength, length, lockouts.\n+ Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD).\n+ Tab nabbing and window.opener-related issues\n+ Vulnerabilities affecting users of outdated browsers, plugins, or platforms.\n+ Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected.\n+ Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS).\nIDN homograph attacks.\n+ Semrush user’s API-keys and credentials found on any third party services.\n+ Issues found in third party software used by Semrush with the exception of misconfigured 3rd party services. \n\n#@wearehackerone.com email and custom header\nWhenever possible, please use your [@wearehackerone.com](https://docs.hackerone.com/hackers/hacker-email-alias.html) account (this may stop our fraud team from blocking your account and our Security team may set a bonus for a valid and detailed report), and set a header with your HackerOne username in your requests: ==X-hackerone: \u003ch1 username\u003e==.\nYou can do that with [Burp addon](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) or through Match and Replace option:\n1. Go to Proxy -\u003e Options -\u003e Match and Replace -\u003e Add\n2. Change Type to Request Header\n3. As the default text says in Match 'leave blank to add a new header'\n4. Put the new header in Replace\n\n#Legal Terms and Safe Harbor\nIn connection with your participation in this program, you agree to comply with [Semrush’s Terms of Service](https://www.semrush.com/company/legal/terms-of-service/) (\"Terms\") and [Semrush’s Privacy Policy](https://www.semrush.com/company/legal/privacy-policy/).\n\nSemrush employees and contractors are not eligible to receive bounties or rewards of any kind.\n\nWhen conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be:\n+ Authorized by Semrush and authorized in view of any applicable anti-hacking laws;\n+ Authorized in view of relevant anti-circumvention laws; and\n+ Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n\nWithin the framework of the program described in this Policy, we will take reasonable steps not to initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability provided that the researcher fully complies with this Policy, HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and with all applicable laws and regulations. \n\nYou are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own.\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels (HackerOne or via security@semrush.com) before going any further.\n\n#Rewards\nWhen duplicates occur, we award the first report that we can completely reproduce.\n\nWe allow our hackers to split the bounty.\n\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\nWe award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.\n\nWe will reward reports according to the severity of their impact (calculated with CVSS v3.0 Calculator) on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation. \n\n#Disclosure Policy\nVulnerabilities must be disclosed only according to HackerOne’s Disclosure Guidelines. \nRequests for vulnerability disclosure must be submitted via the HackerOne report interface. We will discuss internally if we need to make a limited disclosure. Usually, we make a full disclosure, after redacting sensitive information, therefore if you need to make a limited disclosure for some reasons please drop us a line. \n\n#Report\n\"Scanner output\" or scanner-generated reports will not be accepted. Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\nIf you are going to submit a subdomain takeover report: to make sure that you have a full domain takeover (as h1 recommends) we have to get a screenshot with our domain (for ex. *.semrush.com) and custom HTTP content (for example h1 username) to be sure it's possible.\n\n#Promo-code\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid Semrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at the quality of reports you previously sent us. The promo code can not be issued more than once every three months. The final decision on issuing a promo-code rests with the Semrush security team.\n\n#WAF and reactive protection\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporarily add your IP to the white list.\n\nWe believe monitoring and protecting processes must not be impacted by bug bounty. Automated security scans and tests may trigger our security systems and result in reactive measures being enforced, e.g. account or IP may be blocked. \n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - to test auth issues change API key, not cookies. \n\nPlease note that API key’s security and confidentiality are the user's responsibility as stated in our Terms. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-11T12:48:26.786Z"},{"id":3651300,"new_policy":"#Program Policy\nPlay by the rules. This includes following this policy (\"Policy\"), HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and any other relevant agreements.\n\nTest only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners. \n\nProvide us a reasonable amount of time to resolve the issue. We usually set the following terms for fixes: Low impact - 3 months, Medium impact - 1 month, High/Critical impact - up to 2 weeks for a fully functional fix. However, sometimes it could take more time. Please be patient, you will receive updates when, and if, there will be anything to share. \n\nYou have to avoid privacy violations, destruction of data, and interruption or degradation of our service.\nWe only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\nWhile researching, we'd like to ask you to refrain from:\n+ Denial of service.\n+ Spamming.\n+ Social engineering (including phishing) of Semrush staff or contractors.\n+ Any physical attempts against Semrush property or data centers.\n\nWe do not accept the following types of bugs:\n+ CSRF without clear impact.\n+ Any issues related to software not under Semrush’s control.\n+ Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues.\n+ SSL/TLS best practices that do not contain a fully functional proof of concept.\n+ Bugs that do not represent any security risk - these should be reported to mail@semrush.com.\n\nThe following bugs are unlikely to be eligible for a bounty:\n+ Missing DNSSEC settings.\n+ Attacks requiring physical access to a user's device.\n+ Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages.\n+ Brute Force attacks.\n+ Issues related to Password Policy - strength, length, lockouts.\n+ Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD).\n+ Tab nabbing and window.opener-related issues\n+ Vulnerabilities affecting users of outdated browsers, plugins, or platforms.\n+ Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected.\n+ Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS).\nIDN homograph attacks.\n+ Semrush user’s API-keys and credentials found on any third party services.\n+ Issues found in third party software used by Semrush with the exception of misconfigured 3rd party services. \n\n#@wearehackerone.com email and custom header\nWhenever possible, please use your [@wearehackerone.com](https://docs.hackerone.com/hackers/hacker-email-alias.html) account (this may stop our fraud team from blocking your account and our Security team may set a bonus for a valid and detailed report), and set a header with your HackerOne username in your requests: ==X-hackerone: \u003ch1 username\u003e==.\nYou can do that with [Burp addon](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) or through Match and Replace option:\n1. Go to Proxy -\u003e Options -\u003e Match and Replace -\u003e Add\n2. Change Type to Request Header\n3. As the default text says in Match 'leave blank to add a new header'\n4. Put the new header in Replace\n\n#Legal Terms and Safe Harbor\nIn connection with your participation in this program, you agree to comply with [Semrush’s Terms of Service](https://www.semrush.com/company/legal/terms-of-service/) (\"Terms\") and [Semrush’s Privacy Policy](https://www.semrush.com/company/legal/privacy-policy/).\n\nSemrush employees and contractors are not eligible to receive bounties or rewards of any kind.\n\nWhen conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be:\n+ Authorized by Semrush and authorized in view of any applicable anti-hacking laws;\n+ Authorized in view of relevant anti-circumvention laws; and\n+ Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n\nWithin the framework of the program described in this Policy, we will take reasonable steps not to initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability provided that the researcher fully complies with this Policy, HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and with all applicable laws and regulations. \n\nYou are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own.\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels (HackerOne or via security@semrush.com) before going any further.\n\n#Rewards\nWhen duplicates occur, we award the first report that we can completely reproduce.\n\nWe allow our hackers to split the bounty.\n\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\nWe award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.\n\nWe will reward reports according to the severity of their impact (calculated with CVSS v3.0 Calculator) on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation. \n\n#Disclosure Policy\nVulnerabilities must be disclosed only according to HackerOne’s Disclosure Guidelines. \nRequests for vulnerability disclosure must be submitted via the HackerOne report interface. We will discuss internally if we need to make a limited disclosure. Usually, we make a full disclosure, after redacting sensitive information, therefore if you need to make a limited disclosure for some reasons please drop us a line. \n\n#Report\n\"Scanner output\" or scanner-generated reports will not be accepted. Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\nIf you are going to submit a subdomain takeover report: to make sure that you have a full domain takeover (as h1 recommends) we have to get a screenshot with our domain (for ex. *.semrush.com) and custom HTTP content (for example h1 username) to be sure it's possible.\n\n#Promo-code\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid Semrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at the quality of reports you previously sent us. The promo code can not be issued more than once every three months. The final decision on issuing a promo-code rests with the Semrush security team.\n\n#WAF and reactive protection\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporarily add your IP to the white list.\n\nWe believe monitoring and protecting processes must not be impacted by bug bounty. Automated security scans and tests may trigger our security systems and result in reactive measures being enforced, e.g. account or IP may be blocked. \n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - to test auth issues change API key, not cookies. \n\nPlease note that API key’s security and confidentiality are the user's responsibility as stated in our Terms. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-20T13:53:56.490Z"},{"id":3647418,"new_policy":"#Program Policy\nPlay by the rules. This includes following this policy (\"Policy\"), HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and any other relevant agreements.\n\nTest only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners. \n\nProvide us a reasonable amount of time to resolve the issue. We usually set the following terms for fixes: Low impact - 3 months, Medium impact - 1 month, High/Critical impact - up to 2 weeks for a fully functional fix. However, sometimes it could take more time. Please be patient, you will receive updates when, and if, there will be anything to share. \n\nYou have to avoid privacy violations, destruction of data, and interruption or degradation of our service.\nWe only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\nWhile researching, we'd like to ask you to refrain from:\n+ Denial of service.\n+ Spamming.\n+ Social engineering (including phishing) of Semrush staff or contractors.\n+ Any physical attempts against Semrush property or data centers.\n\nWe do not accept the following types of bugs:\n+ CSRF without clear impact.\n+ Any issues related to software not under Semrush’s control.\n+ Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues.\n+ SSL/TLS best practices that do not contain a fully functional proof of concept.\n+ Bugs that do not represent any security risk - these should be reported to mail@semrush.com.\n\nThe following bugs are unlikely to be eligible for a bounty:\n+ Missing DNSSEC settings.\n+ Attacks requiring physical access to a user's device.\n+ Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages.\n+ Brute Force attacks.\n+ Issues related to Password Policy - strength, length, lockouts.\n+ Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD).\n+ Tab nabbing and window.opener-related issues\n+ Vulnerabilities affecting users of outdated browsers, plugins or platforms.\n+ Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected.\n+ Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS).\nIDN homograph attacks.\n+ Semrush user’s API-keys and credentials found on any third party services.\n\n#@wearehackerone.com email and custom header\nWhenever possible, please use your [@wearehackerone.com](https://docs.hackerone.com/hackers/hacker-email-alias.html) account (this may stop our fraud team from blocking your account and our Security team may set a bonus for a valid and detailed report), and set a header with your HackerOne username in your requests: ==X-hackerone: \u003ch1 username\u003e==.\nYou can do that with [Burp addon](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) or through Match and Replace option:\n1. Go to Proxy -\u003e Options -\u003e Match and Replace -\u003e Add\n2. Change Type to Request Header\n3. As the default text says in Match 'leave blank to add a new header'\n4. Put the new header in Replace\n\n#Legal Terms and Safe Harbor\nIn connection with your participation in this program, you agree to comply with [Semrush’s Terms of Service](https://www.semrush.com/company/legal/terms-of-service/) (\"Terms\") and [Semrush’s Privacy Policy](https://www.semrush.com/company/legal/privacy-policy/).\n\nSemrush employees and contractors are not eligible to receive bounties or rewards of any kind.\n\nWhen conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be:\n+ Authorized by Semrush and authorized in view of any applicable anti-hacking laws;\n+ Authorized in view of relevant anti-circumvention laws; and\n+ Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n\nWithin the framework of the program described in this Policy, we will take reasonable steps not to initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability provided that the researcher fully complies with this Policy, HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and with all applicable laws and regulations. \n\nYou are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own.\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels (HackerOne or via security@semrush.com) before going any further.\n\n#Rewards\nWhen duplicates occur, we award the first report that we can completely reproduce.\n\nWe allow our hackers to split the bounty.\n\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\nWe award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.\n\nWe will reward reports according to the severity of their impact (calculated with CVSS v3.0 Calculator) on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation. \n\n#Disclosure Policy\nVulnerabilities must be disclosed only according to HackerOne’s Disclosure Guidelines. \nRequests for vulnerability disclosure must be submitted via the HackerOne report interface. We will discuss internally if we need to make a limited disclosure. Usually, we make a full disclosure, after redacting sensitive information, therefore if you need to make a limited disclosure for some reasons please drop us a line. \n\n#Report\n\"Scanner output\" or scanner-generated reports will not be accepted. Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\nIf you are going to submit a subdomain takeover report: to make sure that you have a full domain takeover (as h1 recommends) we have to get a screenshot with our domain (for ex. *.semrush.com) and custom HTTP content (for example h1 username) to be sure it's possible.\n\n#Promo-code\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid Semrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at the quality of reports you previously sent us. The promo code can not be issued more than once every three months. The final decision on issuing a promo-code rests with the Semrush security team.\n\n#WAF and reactive protection\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporarily add your IP to the white list.\n\nWe believe monitoring and protecting processes must not be impacted by bug bounty. Automated security scans and tests may trigger our security systems and result in reactive measures being enforced, e.g. account or IP may be blocked. \n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - to test auth issues change API key, not cookies. \n\nPlease note that API key’s security and confidentiality are the user's responsibility as stated in our Terms. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-31T16:27:47.008Z"},{"id":3647417,"new_policy":"\n** UPDATE ** \nSemrush security team will be on vacation from 31st Dec until Jan 11th. You can test our assets during this period, but we ask you (as usual) to be careful and avoid privacy violations, destruction of data, and interruption or degradation of our service. \n\nDuring the vacation, all reports will be accepted, although investigation, triage and bounty payments for non-critical reports will be made after Jan 11th.\n\nHappy New Year and happy new hacking!\n\nNo technology is perfect, and Semrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n\n#Program Policy\nPlay by the rules. This includes following this policy (\"Policy\"), HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and any other relevant agreements.\n\nTest only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners. \n\nProvide us a reasonable amount of time to resolve the issue. We usually set the following terms for fixes: Low impact - 3 months, Medium impact - 1 month, High/Critical impact - up to 2 weeks for a fully functional fix. However, sometimes it could take more time. Please be patient, you will receive updates when, and if, there will be anything to share. \n\nYou have to avoid privacy violations, destruction of data, and interruption or degradation of our service.\nWe only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\nWhile researching, we'd like to ask you to refrain from:\n+ Denial of service.\n+ Spamming.\n+ Social engineering (including phishing) of Semrush staff or contractors.\n+ Any physical attempts against Semrush property or data centers.\n\nWe do not accept the following types of bugs:\n+ CSRF without clear impact.\n+ Any issues related to software not under Semrush’s control.\n+ Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues.\n+ SSL/TLS best practices that do not contain a fully functional proof of concept.\n+ Bugs that do not represent any security risk - these should be reported to mail@semrush.com.\n\nThe following bugs are unlikely to be eligible for a bounty:\n+ Missing DNSSEC settings.\n+ Attacks requiring physical access to a user's device.\n+ Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages.\n+ Brute Force attacks.\n+ Issues related to Password Policy - strength, length, lockouts.\n+ Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD).\n+ Tab nabbing and window.opener-related issues\n+ Vulnerabilities affecting users of outdated browsers, plugins or platforms.\n+ Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected.\n+ Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS).\nIDN homograph attacks.\n+ Semrush user’s API-keys and credentials found on any third party services.\n\n#@wearehackerone.com email and custom header\nWhenever possible, please use your [@wearehackerone.com](https://docs.hackerone.com/hackers/hacker-email-alias.html) account (this may stop our fraud team from blocking your account and our Security team may set a bonus for a valid and detailed report), and set a header with your HackerOne username in your requests: ==X-hackerone: \u003ch1 username\u003e==.\nYou can do that with [Burp addon](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) or through Match and Replace option:\n1. Go to Proxy -\u003e Options -\u003e Match and Replace -\u003e Add\n2. Change Type to Request Header\n3. As the default text says in Match 'leave blank to add a new header'\n4. Put the new header in Replace\n\n#Legal Terms and Safe Harbor\nIn connection with your participation in this program, you agree to comply with [Semrush’s Terms of Service](https://www.semrush.com/company/legal/terms-of-service/) (\"Terms\") and [Semrush’s Privacy Policy](https://www.semrush.com/company/legal/privacy-policy/).\n\nSemrush employees and contractors are not eligible to receive bounties or rewards of any kind.\n\nWhen conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be:\n+ Authorized by Semrush and authorized in view of any applicable anti-hacking laws;\n+ Authorized in view of relevant anti-circumvention laws; and\n+ Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n\nWithin the framework of the program described in this Policy, we will take reasonable steps not to initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability provided that the researcher fully complies with this Policy, HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and with all applicable laws and regulations. \n\nYou are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own.\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels (HackerOne or via security@semrush.com) before going any further.\n\n#Rewards\nWhen duplicates occur, we award the first report that we can completely reproduce.\n\nWe allow our hackers to split the bounty.\n\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\nWe award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.\n\nWe will reward reports according to the severity of their impact (calculated with CVSS v3.0 Calculator) on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation. \n\n#Disclosure Policy\nVulnerabilities must be disclosed only according to HackerOne’s Disclosure Guidelines. \nRequests for vulnerability disclosure must be submitted via the HackerOne report interface. We will discuss internally if we need to make a limited disclosure. Usually, we make a full disclosure, after redacting sensitive information, therefore if you need to make a limited disclosure for some reasons please drop us a line. \n\n#Report\n\"Scanner output\" or scanner-generated reports will not be accepted. Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\nIf you are going to submit a subdomain takeover report: to make sure that you have a full domain takeover (as h1 recommends) we have to get a screenshot with our domain (for ex. *.semrush.com) and custom HTTP content (for example h1 username) to be sure it's possible.\n\n#Promo-code\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid Semrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at the quality of reports you previously sent us. The promo code can not be issued more than once every three months. The final decision on issuing a promo-code rests with the Semrush security team.\n\n#WAF and reactive protection\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporarily add your IP to the white list.\n\nWe believe monitoring and protecting processes must not be impacted by bug bounty. Automated security scans and tests may trigger our security systems and result in reactive measures being enforced, e.g. account or IP may be blocked. \n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - to test auth issues change API key, not cookies. \n\nPlease note that API key’s security and confidentiality are the user's responsibility as stated in our Terms. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-31T16:26:54.749Z"},{"id":3646691,"new_policy":"No technology is perfect, and Semrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Policy\nPlay by the rules. This includes following this policy (\"Policy\"), HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and any other relevant agreements.\n\nTest only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners. \n\nProvide us a reasonable amount of time to resolve the issue. We usually set the following terms for fixes: Low impact - 3 months, Medium impact - 1 month, High/Critical impact - up to 2 weeks for a fully functional fix. However, sometimes it could take more time. Please be patient, you will receive updates when, and if, there will be anything to share. \n\nYou have to avoid privacy violations, destruction of data, and interruption or degradation of our service.\nWe only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\nWhile researching, we'd like to ask you to refrain from:\n+ Denial of service.\n+ Spamming.\n+ Social engineering (including phishing) of Semrush staff or contractors.\n+ Any physical attempts against Semrush property or data centers.\n\nWe do not accept the following types of bugs:\n+ CSRF without clear impact.\n+ Any issues related to software not under Semrush’s control.\n+ Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues.\n+ SSL/TLS best practices that do not contain a fully functional proof of concept.\n+ Bugs that do not represent any security risk - these should be reported to mail@semrush.com.\n\nThe following bugs are unlikely to be eligible for a bounty:\n+ Missing DNSSEC settings.\n+ Attacks requiring physical access to a user's device.\n+ Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages.\n+ Brute Force attacks.\n+ Issues related to Password Policy - strength, length, lockouts.\n+ Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD).\n+ Tab nabbing and window.opener-related issues\n+ Vulnerabilities affecting users of outdated browsers, plugins or platforms.\n+ Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected.\n+ Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS).\nIDN homograph attacks.\n+ Semrush user’s API-keys and credentials found on any third party services.\n\n#@wearehackerone.com email and custom header\nWhenever possible, please use your [@wearehackerone.com](https://docs.hackerone.com/hackers/hacker-email-alias.html) account (this may stop our fraud team from blocking your account and our Security team may set a bonus for a valid and detailed report), and set a header with your HackerOne username in your requests: ==X-hackerone: \u003ch1 username\u003e==.\nYou can do that with [Burp addon](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) or through Match and Replace option:\n1. Go to Proxy -\u003e Options -\u003e Match and Replace -\u003e Add\n2. Change Type to Request Header\n3. As the default text says in Match 'leave blank to add a new header'\n4. Put the new header in Replace\n\n#Legal Terms and Safe Harbor\nIn connection with your participation in this program, you agree to comply with [Semrush’s Terms of Service](https://www.semrush.com/company/legal/terms-of-service/) (\"Terms\") and [Semrush’s Privacy Policy](https://www.semrush.com/company/legal/privacy-policy/).\n\nSemrush employees and contractors are not eligible to receive bounties or rewards of any kind.\n\nWhen conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be:\n+ Authorized by Semrush and authorized in view of any applicable anti-hacking laws;\n+ Authorized in view of relevant anti-circumvention laws; and\n+ Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n\nWithin the framework of the program described in this Policy, we will take reasonable steps not to initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability provided that the researcher fully complies with this Policy, HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and with all applicable laws and regulations. \n\nYou are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own.\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels (HackerOne or via security@semrush.com) before going any further.\n\n#Rewards\nWhen duplicates occur, we award the first report that we can completely reproduce.\n\nWe allow our hackers to split the bounty.\n\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\nWe award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.\n\nWe will reward reports according to the severity of their impact (calculated with CVSS v3.0 Calculator) on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation. \n\n#Disclosure Policy\nVulnerabilities must be disclosed only according to HackerOne’s Disclosure Guidelines. \nRequests for vulnerability disclosure must be submitted via the HackerOne report interface. We will discuss internally if we need to make a limited disclosure. Usually, we make a full disclosure, after redacting sensitive information, therefore if you need to make a limited disclosure for some reasons please drop us a line. \n\n#Report\n\"Scanner output\" or scanner-generated reports will not be accepted. Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\nIf you are going to submit a subdomain takeover report: to make sure that you have a full domain takeover (as h1 recommends) we have to get a screenshot with our domain (for ex. *.semrush.com) and custom HTTP content (for example h1 username) to be sure it's possible.\n\n#Promo-code\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid Semrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at the quality of reports you previously sent us. The promo code can not be issued more than once every three months. The final decision on issuing a promo-code rests with the Semrush security team.\n\n#WAF and reactive protection\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporarily add your IP to the white list.\n\nWe believe monitoring and protecting processes must not be impacted by bug bounty. Automated security scans and tests may trigger our security systems and result in reactive measures being enforced, e.g. account or IP may be blocked. \n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - to test auth issues change API key, not cookies. \n\nPlease note that API key’s security and confidentiality are the user's responsibility as stated in our Terms. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-10T15:54:05.963Z"},{"id":3643791,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Policy\nPlay by the rules. This includes following this policy (\"Policy\"), HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and any other relevant agreements.\n\nTest only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners. \n\nProvide us a reasonable amount of time to resolve the issue. We usually set the following terms for fixes: Low impact - 3 months, Medium impact - 1 month, High/Critical impact - up to 2 weeks for a fully functional fix. However, sometimes it could take more time. Please be patient, you will receive updates when, and if, there will be anything to share. \n\nYou have to avoid privacy violations, destruction of data, and interruption or degradation of our service.\nWe only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\nWhile researching, we'd like to ask you to refrain from:\n+ Denial of service.\n+ Spamming.\n+ Social engineering (including phishing) of SEMrush staff or contractors.\n+ Any physical attempts against SEMrush property or data centers.\n\nWe do not accept the following types of bugs:\n+ CSRF without clear impact.\n+ Any issues related to software not under SEMrush’s control.\n+ Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues.\n+ SSL/TLS best practices that do not contain a fully functional proof of concept.\n+ Bugs that do not represent any security risk - these should be reported to mail@semrush.com.\n\nThe following bugs are unlikely to be eligible for a bounty:\n+ Missing DNSSEC settings.\n+ Attacks requiring physical access to a user's device.\n+ Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages.\n+ Brute Force attacks.\n+ Issues related to Password Policy - strength, length, lockouts.\n+ Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD).\n+ Tab nabbing and window.opener-related issues\n+ Vulnerabilities affecting users of outdated browsers, plugins or platforms.\n+ Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected.\n+ Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS).\nIDN homograph attacks.\n+ SEMrush user’s API-keys and credentials found on any third party services.\n\n#@wearehackerone.com email and custom header\nWhenever possible, please use your [@wearehackerone.com](https://docs.hackerone.com/hackers/hacker-email-alias.html) account (this may stop our fraud team from blocking your account and our Security team may set a bonus for a valid and detailed report), and set a header with your HackerOne username in your requests: ==X-hackerone: \u003ch1 username\u003e==.\nYou can do that with [Burp addon](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) or through Match and Replace option:\n1. Go to Proxy -\u003e Options -\u003e Match and Replace -\u003e Add\n2. Change Type to Request Header\n3. As the default text says in Match 'leave blank to add a new header'\n4. Put the new header in Replace\n\n#Legal Terms and Safe Harbor\nIn connection with your participation in this program, you agree to comply with [SEMrush’s Terms of Service](https://www.semrush.com/company/legal/terms-of-service/) (\"Terms\") and [SEMrush’s Privacy Policy](https://www.semrush.com/company/legal/privacy-policy/).\n\nSEMrush employees and contractors are not eligible to receive bounties or rewards of any kind.\n\nWhen conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be:\n+ Authorized by SEMrush and authorized in view of any applicable anti-hacking laws;\n+ Authorized in view of relevant anti-circumvention laws; and\n+ Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n\nWithin the framework of the program described in this Policy, we will take reasonable steps not to initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability provided that the researcher fully complies with this Policy, HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and with all applicable laws and regulations. \n\nYou are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own.\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels (HackerOne or via security@semrush.com) before going any further.\n\n#Rewards\nWhen duplicates occur, we award the first report that we can completely reproduce.\n\nWe allow our hackers to split the bounty.\n\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\nWe award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.\n\nWe will reward reports according to the severity of their impact (calculated with CVSS v3.0 Calculator) on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation. \n\n#Disclosure Policy\nVulnerabilities must be disclosed only according to HackerOne’s Disclosure Guidelines. \nRequests for vulnerability disclosure must be submitted via the HackerOne report interface. We will discuss internally if we need to make a limited disclosure. Usually, we make a full disclosure, after redacting sensitive information, therefore if you need to make a limited disclosure for some reasons please drop us a line. \n\n#Report\n\"Scanner output\" or scanner-generated reports will not be accepted. Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\nIf you are going to submit a subdomain takeover report: to make sure that you have a full domain takeover (as h1 recommends) we have to get a screenshot with our domain (for ex. *.semrush.com) and custom HTTP content (for example h1 username) to be sure it's possible.\n\n#Promo-code\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid SEMrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at the quality of reports you previously sent us. The promo code can not be issued more than once every three months. The final decision on issuing a promo-code rests with the SEMrush security team.\n\n#WAF and reactive protection\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporarily add your IP to the white list.\n\nWe believe monitoring and protecting processes must not be impacted by bug bounty. Automated security scans and tests may trigger our security systems and result in reactive measures being enforced, e.g. account or IP may be blocked. \n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - to test auth issues change API key, not cookies. \n\nPlease note that API key’s security and confidentiality are the user's responsibility as stated in our Terms. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-15T13:18:27.633Z"},{"id":3643205,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Policy\nPlay by the rules. This includes following this policy (\"Policy\"), HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and any other relevant agreements.\n\nTest only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners. \n\nProvide us a reasonable amount of time to resolve the issue. We usually set the following terms for fixes: Low impact - 3 months, Medium impact - 1 month, High/Critical impact - up to 2 weeks for a fully functional fix. However, sometimes it could take more time. Please be patient, you will receive updates when, and if, there will be anything to share. \n\nYou have to avoid privacy violations, destruction of data, and interruption or degradation of our service.\nWe only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\nWhile researching, we'd like to ask you to refrain from:\n+ Denial of service.\n+ Spamming.\n+ Social engineering (including phishing) of SEMrush staff or contractors.\n+ Any physical attempts against SEMrush property or data centers.\n\nWe do not accept the following types of bugs:\n+ CSRF without clear impact.\n+ Any issues related to software not under SEMrush’s control.\n+ Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues.\n+ SSL/TLS best practices that do not contain a fully functional proof of concept.\n+ Bugs that do not represent any security risk - these should be reported to mail@semrush.com.\n\nThe following bugs are unlikely to be eligible for a bounty:\n+ Missing DNSSEC settings.\n+ Attacks requiring physical access to a user's device.\n+ Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages.\n+ Brute Force attacks.\n+ Issues related to Password Policy - strength, length, lockouts.\n+ Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD).\n+ Tab nabbing and window.opener-related issues\n+ Vulnerabilities affecting users of outdated browsers, plugins or platforms.\n+ Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected.\n+ Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS).\nIDN homograph attacks.\n+ SEMrush user’s API-keys found on any third party services.\n\n#@wearehackerone.com email and custom header\nWhenever possible, please use your [@wearehackerone.com](https://docs.hackerone.com/hackers/hacker-email-alias.html) account (this may stop our fraud team from blocking your account and our Security team may set a bonus for a valid and detailed report), and set a header with your HackerOne username in your requests: ==X-hackerone: \u003ch1 username\u003e==.\nYou can do that with [Burp addon](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) or through Match and Replace option:\n1. Go to Proxy -\u003e Options -\u003e Match and Replace -\u003e Add\n2. Change Type to Request Header\n3. As the default text says in Match 'leave blank to add a new header'\n4. Put the new header in Replace\n\n#Legal Terms and Safe Harbor\nIn connection with your participation in this program, you agree to comply with [SEMrush’s Terms of Service](https://www.semrush.com/company/legal/terms-of-service/) (\"Terms\") and [SEMrush’s Privacy Policy](https://www.semrush.com/company/legal/privacy-policy/).\n\nSEMrush employees and contractors are not eligible to receive bounties or rewards of any kind.\n\nWhen conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be:\n+ Authorized by SEMrush and authorized in view of any applicable anti-hacking laws;\n+ Authorized in view of relevant anti-circumvention laws; and\n+ Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n\nWithin the framework of the program described in this Policy, we will take reasonable steps not to initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability provided that the researcher fully complies with this Policy, HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and with all applicable laws and regulations. \n\nYou are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own.\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels (HackerOne or via security@semrush.com) before going any further.\n#Rewards\nWhen duplicates occur, we award the first report that we can completely reproduce.\n\nWe allow our hackers to split the bounty.\n\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\nWe award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.\n\nWe will reward reports according to the severity of their impact (calculated with CVSS v3.0 Calculator) on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation. \n#Disclosure Policy\nVulnerabilities must be disclosed only according to HackerOne’s Disclosure Guidelines. \nRequests for vulnerability disclosure must be submitted via the HackerOne report interface. We will discuss internally if we need to make a limited disclosure. Usually, we make a full disclosure, after redacting sensitive information, therefore if you need to make a limited disclosure for some reasons please drop us a line. \n#Report\n\"Scanner output\" or scanner-generated reports will not be accepted. Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\nIf you are going to submit a subdomain takeover report: to make sure that you have a full domain takeover (as h1 recommends) we have to get a screenshot with our domain (for ex. *.semrush.com) and custom HTTP content (for example h1 username) to be sure it's possible.\n#Promo-code\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid SEMrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at the quality of reports you previously sent us. The promo code can not be issued more than once every three months. The final decision on issuing a promo-code rests with the SEMrush security team.\n#WAF and reactive protection\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporarily add your IP to the white list.\n\nWe believe monitoring and protecting processes must not be impacted by bug bounty. Automated security scans and tests may trigger our security systems and result in reactive measures being enforced, e.g. account or IP may be blocked. \n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - to test auth issues change API key, not cookies. \n\nPlease note that API key’s security and confidentiality are the user's responsibility as stated in our Terms. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-05T14:06:37.823Z"},{"id":3639387,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Policy\nPlay by the rules. This includes following this policy (\"Policy\"), HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and any other relevant agreements.\n\nTest only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners. Whenever possible, please use your [@wearehackerone.com](https://docs.hackerone.com/hackers/hacker-email-alias.html) account (this may stop our fraud team from blocking your account and our Security team may set a bonus for a valid and detailed report), and set a header with your HackerOne username in your requests, for example - `X-hackerone: averonesis`.\n\nProvide us a reasonable amount of time to resolve the issue. We usually set the following terms for fixes: Low impact - 3 months, Medium impact - 1 month, High/Critical impact - up to 2 weeks for a fully functional fix. However, sometimes it could take more time. Please be patient, you will receive updates when, and if, there will be anything to share. \n\nYou have to avoid privacy violations, destruction of data, and interruption or degradation of our service.\nWe only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\nWhile researching, we'd like to ask you to refrain from:\n+ Denial of service.\n+ Spamming.\n+ Social engineering (including phishing) of SEMrush staff or contractors.\n+ Any physical attempts against SEMrush property or data centers.\n\nWe do not accept the following types of bugs:\n+ CSRF without clear impact.\n+ Any issues related to software not under SEMrush’s control.\n+ Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues.\n+ SSL/TLS best practices that do not contain a fully functional proof of concept.\n+ Bugs that do not represent any security risk - these should be reported to mail@semrush.com.\n\nThe following bugs are unlikely to be eligible for a bounty:\n+ Missing DNSSEC settings.\n+ Attacks requiring physical access to a user's device.\n+ Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages.\n+ Brute Force attacks.\n+ Issues related to Password Policy - strength, length, lockouts.\n+ Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD).\n+ Tab nabbing and window.opener-related issues\n+ Vulnerabilities affecting users of outdated browsers, plugins or platforms.\n+ Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected.\n+ Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS).\nIDN homograph attacks.\n+ SEMrush user’s API-keys found on any third party services.\n\n#Legal Terms and Safe Harbor\nIn connection with your participation in this program, you agree to comply with [SEMrush’s Terms of Service](https://www.semrush.com/company/legal/terms-of-service/) (\"Terms\") and [SEMrush’s Privacy Policy](https://www.semrush.com/company/legal/privacy-policy/).\n\nSEMrush employees and contractors are not eligible to receive bounties or rewards of any kind.\n\nWhen conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be:\n+ Authorized by SEMrush and authorized in view of any applicable anti-hacking laws;\n+ Authorized in view of relevant anti-circumvention laws; and\n+ Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n\nWithin the framework of the program described in this Policy, we will take reasonable steps not to initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability provided that the researcher fully complies with this Policy, HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines) and with all applicable laws and regulations. \n\nYou are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own.\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels (HackerOne or via security@semrush.com) before going any further.\n#Rewards\nWhen duplicates occur, we award the first report that we can completely reproduce.\n\nWe allow our hackers to split the bounty.\n\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\nWe award bounties at the time of validation and will keep you posted as we work to resolve them. Although sometimes it can take more time to investigate the vulnerability severity and the bounty may be paid later.\n\nWe will reward reports according to the severity of their impact (calculated with CVSS v3.0 Calculator) on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs, or for high-quality reports; we may also pay less for bugs with complex prerequisites that lower the risk of exploitation. \n#Disclosure Policy\nVulnerabilities must be disclosed only according to HackerOne’s Disclosure Guidelines. \nRequests for vulnerability disclosure must be submitted via the HackerOne report interface. We will discuss internally if we need to make a limited disclosure. Usually, we make a full disclosure, after redacting sensitive information, therefore if you need to make a limited disclosure for some reasons please drop us a line. \n#Report\n\"Scanner output\" or scanner-generated reports will not be accepted. Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\nIf you are going to submit a subdomain takeover report: to make sure that you have a full domain takeover (as h1 recommends) we have to get a screenshot with our domain (for ex. *.semrush.com) and custom HTTP content (for example h1 username) to be sure it's possible.\n#Promo-code\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid SEMrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at the quality of reports you previously sent us. The promo code can not be issued more than once every three months. The final decision on issuing a promo-code rests with the SEMrush security team.\n#WAF and reactive protection\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporarily add your IP to the white list.\n\nWe believe monitoring and protecting processes must not be impacted by bug bounty. Automated security scans and tests may trigger our security systems and result in reactive measures being enforced, e.g. account or IP may be blocked. \n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - to test auth issues change API key, not cookies. \n\nPlease note that API key’s security and confidentiality are the user's responsibility as stated in our Terms. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-09T10:34:45.860Z"},{"id":3614512,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Rules:\n- Automated testing is not permitted.\n- Follow HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines).\n- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- We award bounties at time of validation, and will keep you posted as we work to resolve them.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\n#Report:\nPlease follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\n\n#Promo-code:\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid SEMrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at your signal/impact/reputation on H1 platform and the reports you previously sent us. The final decision on issuing a promo-code rests with the SEMrush security team.\n\n# WAF\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.\n\nWhile researching, we'd like to ask you to refrain from:\n- Denial of service\n- Spamming\n- Social engineering (including phishing) of SEMrush staff or contractors\n- Any physical attempts against SEMrush property or data centers\n- **CSRF** - site wide and known issue\n- Any issues related to software not under SEMrush’s control \n\nThe following bugs are unlikely to be eligible for a bounty:\n- Missing DNSSEC settings (we're working it)\n- Issues found through automated testing\n- \"Scanner output\" or scanner-generated reports\n- Attacks requiring physical access to a user's device\n- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages\n- Brute Force attacks\n- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues\n- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections\n- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)\n- SSL/TLS best practices that do not contain a fully functional proof of concept\n- Tab nabbing and window.opener-related issues\n- Vulnerabilities affecting users of outdated browsers, plugins or platforms\n- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected\n- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)\n- Bugs that do not represent any security risk - these should be reported to mail@semrush.com\n- IDN homograph attacks\n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - change api key to test auth issues not cookies. \n\nThank you for helping keep SEMrush and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-22T16:04:43.232Z"},{"id":3614492,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Rules:\n- Automated testing is not permitted.\n- Follow HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines).\n- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- We award bounties at time of validation, and will keep you posted as we work to resolve them.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\n#Report:\nPlease follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\n\n#Promo-code:\nSince a large part of our product is paid, we give researchers who proved themselves a promo-code for a month paid SEMrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at your signal/impact/reputation on H1 platform and the reports you previously sent us. The final decision on issuing a promo-code rests with the SEMrush security team.\n\n# WAF\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.\n\nWhile researching, we'd like to ask you to refrain from:\n- Denial of service\n- Spamming\n- Social engineering (including phishing) of SEMrush staff or contractors\n- Any physical attempts against SEMrush property or data centers\n- **CSRF** - site wide and known issue\n- Any issues related to software not under SEMrush’s control \n\nThe following bugs are unlikely to be eligible for a bounty:\n- Missing DNSSEC settings (we're working it)\n- Issues found through automated testing\n- \"Scanner output\" or scanner-generated reports\n- Attacks requiring physical access to a user's device\n- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages\n- Brute Force attacks\n- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues\n- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections\n- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)\n- SSL/TLS best practices that do not contain a fully functional proof of concept\n- Tab nabbing and window.opener-related issues\n- Vulnerabilities affecting users of outdated browsers, plugins or platforms\n- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected\n- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)\n- Bugs that do not represent any security risk - these should be reported to mail@semrush.com\n- IDN homograph attacks\n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - change api key to test auth issues not cookies. \n\nThank you for helping keep SEMrush and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-22T14:07:44.825Z"},{"id":3583752,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Rules:\n- Automated testing is not permitted.\n- Follow HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines).\n- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- We award bounties at time of validation, and will keep you posted as we work to resolve them.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\n#Report:\nPlease follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\n\n# WAF\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.\n\nWhile researching, we'd like to ask you to refrain from:\n- Denial of service\n- Spamming\n- Social engineering (including phishing) of SEMrush staff or contractors\n- Any physical attempts against SEMrush property or data centers\n- **CSRF** - site wide and known issue\n- Any issues related to software not under SEMrush’s control \n\nThe following bugs are unlikely to be eligible for a bounty:\n- Missing DNSSEC settings (we're working it)\n- Issues found through automated testing\n- \"Scanner output\" or scanner-generated reports\n- Attacks requiring physical access to a user's device\n- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages\n- Brute Force attacks\n- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues\n- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections\n- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)\n- SSL/TLS best practices that do not contain a fully functional proof of concept\n- Tab nabbing and window.opener-related issues\n- Vulnerabilities affecting users of outdated browsers, plugins or platforms\n- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected\n- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)\n- Bugs that do not represent any security risk - these should be reported to mail@semrush.com\n- IDN homograph attacks\n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - change api key to test auth issues not cookies. \n\nThank you for helping keep SEMrush and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-26T12:57:59.820Z"},{"id":3583751,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Rules:\n- Automated testing is not permitted.\n- Follow HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines).\n- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- We award bounties at time of validation, and will keep you posted as we work to resolve them.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\n#Report:\nPlease follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\n\n# WAF\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.\n\nWhile researching, we'd like to ask you to refrain from:\n- Denial of service\n- Spamming\n- Social engineering (including phishing) of SEMrush staff or contractors\n- Any physical attempts against SEMrush property or data centers\n- **CSRF** - site wide and known issue\n- Any issues related to software not under SEMrush’s control \n\nThe following bugs are unlikely to be eligible for a bounty:\n- Missing DNSSEC settings (we're working it)\n- Issues found through automated testing\n- \"Scanner output\" or scanner-generated reports\n- Attacks requiring physical access to a user's device\n- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages\n- Brute Force attacks\n- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues\n- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections\n- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)\n- SSL/TLS best practices that do not contain a fully functional proof of concept\n- Tab nabbing and window.opener-related issues\n- Vulnerabilities affecting users of outdated browsers, plugins or platforms\n- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected\n- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)\n- Bugs that do not represent any security risk - these should be reported to mail@semrush.com\n- IDN homograph attacks\n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - change api key to test auth issues not cookies. \n\nThank you for helping keep SEMrush and our users safe!\n\n#Domains:\n```\n*.semrush.com - see exclusions section above\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-26T12:57:15.993Z"},{"id":3577146,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Rules:\n- Automated testing is not permitted.\n- Follow HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines).\n- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- We award bounties at time of validation, and will keep you posted as we work to resolve them.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\n#Report:\nPlease follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\n\n#Payouts\nOur vulnerability-reward payouts will go up to $3,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $50.\n- Stored XSS — from $150 to $250\n- Reflected XSS — $100\n- Stored XSS with authenticated experience — up to $1,000\n- SSRF — from $300 to $1,000\n- Security misconfiguration — up to $500\n- Broken authentication — up to $1,000\n- Injection and RCE — up to $3,000\n\n# WAF\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.\n\n# Exclusions\n- advocates.semrush.com\n- actonmail.semrush.com\n- email.semrush.com\n- berush.com\n- labs-semrush.com\n- landings.semrush.com\n- Any other issues related to software not under SEMrush’s control \n\nWhile researching, we'd like to ask you to refrain from:\n- Denial of service\n- Spamming\n- Social engineering (including phishing) of SEMrush staff or contractors\n- Any physical attempts against SEMrush property or data centers\n- **CSRF** - site wide and known issue\n\nThe following bugs are unlikely to be eligible for a bounty:\n- Missing DNSSEC settings (we're working it)\n- Issues found through automated testing\n- \"Scanner output\" or scanner-generated reports\n- Attacks requiring physical access to a user's device\n- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages\n- Brute Force attacks\n- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues\n- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections\n- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)\n- SSL/TLS best practices that do not contain a fully functional proof of concept\n- Tab nabbing and window.opener-related issues\n- Vulnerabilities affecting users of outdated browsers, plugins or platforms\n- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected\n- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)\n- Bugs that do not represent any security risk - these should be reported to mail@semrush.com\n- IDN homograph attacks\n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - change api key to test auth issues not cookies. \n\nThank you for helping keep SEMrush and our users safe!\n\n#Domains:\n```\n*.semrush.com - see exclusions section above\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-18T12:31:49.277Z"},{"id":3573710,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Rules:\n- Automated testing is not permitted.\n- Follow HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines).\n- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- We award bounties at time of validation, and will keep you posted as we work to resolve them.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\n#Report:\nPlease follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\n\n#Payouts\nOur vulnerability-reward payouts will go up to $3,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $50.\n- Stored XSS — from $150 to $250\n- Reflected XSS — $100\n- Stored XSS with authenticated experience — up to $1,000\n- SSRF — from $300 to $1,000\n- Security misconfiguration — up to $500\n- Broken authentication — up to $1,000\n- Injection and RCE — up to $3,000\n\n# WAF\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.\n\n# Exclusions\n- advocates.semrush.com\n- actonmail.semrush.com\n- email.semrush.com\n- berush.com\n- labs-semrush.com\n- Any other issues related to software not under SEMrush’s control \n\nWhile researching, we'd like to ask you to refrain from:\n- Denial of service\n- Spamming\n- Social engineering (including phishing) of SEMrush staff or contractors\n- Any physical attempts against SEMrush property or data centers\n- **CSRF** - site wide and known issue\n\nThe following bugs are unlikely to be eligible for a bounty:\n- Missing DNSSEC settings (we're working it)\n- Issues found through automated testing\n- \"Scanner output\" or scanner-generated reports\n- Attacks requiring physical access to a user's device\n- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages\n- Brute Force attacks\n- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues\n- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections\n- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)\n- SSL/TLS best practices that do not contain a fully functional proof of concept\n- Tab nabbing and window.opener-related issues\n- Vulnerabilities affecting users of outdated browsers, plugins or platforms\n- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected\n- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)\n- Bugs that do not represent any security risk - these should be reported to mail@semrush.com\n- IDN homograph attacks\n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - change api key to test auth issues not cookies. \n\nThank you for helping keep SEMrush and our users safe!\n\n#Domains:\n```\n*.semrush.com - see exclusions section above\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-04-13T14:23:15.085Z"},{"id":3568599,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Rules:\n- Automated testing is not permitted.\n- Follow HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines).\n- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- We award bounties at time of validation, and will keep you posted as we work to resolve them.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.\n\n#Report:\nPlease follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\n\n#Payouts\nOur vulnerability-reward payouts will go up to $3,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $50.\n- Stored XSS — from $150 to $250\n- Reflected XSS — $100\n- Stored XSS with authenticated experience — up to $1,000\n- SSRF — from $300 to $1,000\n- Security misconfiguration — up to $500\n- Broken authentication — up to $1,000\n- Injection and RCE — up to $3,000\n\n# WAF\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.\n\n# Exclusions\n- advocates.semrush.com\n- actonmail.semrush.com\n- email.semrush.com\n- berush.com\n- Any other issues related to software not under SEMrush’s control \n\nWhile researching, we'd like to ask you to refrain from:\n- Denial of service\n- Spamming\n- Social engineering (including phishing) of SEMrush staff or contractors\n- Any physical attempts against SEMrush property or data centers\n- **CSRF** - site wide and known issue\n\nThe following bugs are unlikely to be eligible for a bounty:\n- Missing DNSSEC settings (we're working it)\n- Issues found through automated testing\n- \"Scanner output\" or scanner-generated reports\n- Attacks requiring physical access to a user's device\n- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages\n- Brute Force attacks\n- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues\n- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections\n- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)\n- SSL/TLS best practices that do not contain a fully functional proof of concept\n- Tab nabbing and window.opener-related issues\n- Vulnerabilities affecting users of outdated browsers, plugins or platforms\n- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected\n- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)\n- Bugs that do not represent any security risk - these should be reported to mail@semrush.com\n- IDN homograph attacks\n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - change api key to test auth issues not cookies. \n\nThank you for helping keep SEMrush and our users safe!\n\n#Domains:\n```\n*.semrush.com - see exclusions section above\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-02-09T13:47:25.951Z"},{"id":3567713,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Rules:\n- Automated testing is not permitted.\n- Follow HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines).\n- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- We award bounties at time of validation, and will keep you posted as we work to resolve them.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Internet Explorer starting with version 11.\n\n#Report:\nPlease follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.\n\n#Payouts\nOur vulnerability-reward payouts will go up to $3,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $50.\n- Stored XSS — from $150 to $250\n- Reflected XSS — $100\n- Stored XSS with authenticated experience — up to $1,000\n- SSRF — from $300 to $1,000\n- Security misconfiguration — up to $500\n- Broken authentication — up to $1,000\n- Injection and RCE — up to $3,000\n\n# WAF\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.\n\n# Exclusions\n- advocates.semrush.com\n- actonmail.semrush.com\n- email.semrush.com\n- berush.com\n- Any other issues related to software not under SEMrush’s control \n\nWhile researching, we'd like to ask you to refrain from:\n- Denial of service\n- Spamming\n- Social engineering (including phishing) of SEMrush staff or contractors\n- Any physical attempts against SEMrush property or data centers\n- **CSRF** - site wide and known issue\n\nThe following bugs are unlikely to be eligible for a bounty:\n- Missing DNSSEC settings (we're working it)\n- Issues found through automated testing\n- \"Scanner output\" or scanner-generated reports\n- Attacks requiring physical access to a user's device\n- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages\n- Brute Force attacks\n- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues\n- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections\n- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)\n- SSL/TLS best practices that do not contain a fully functional proof of concept\n- Tab nabbing and window.opener-related issues\n- Vulnerabilities affecting users of outdated browsers, plugins or platforms\n- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected\n- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)\n- Bugs that do not represent any security risk - these should be reported to mail@semrush.com\n- IDN homograph attacks\n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - change api key to test auth issues not cookies. \n\nThank you for helping keep SEMrush and our users safe!\n\n#Domains:\n```\n*.semrush.com - see exclusions section above\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-29T17:31:09.998Z"},{"id":3563756,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Rules:\n- Automated testing is not permitted.\n- Follow HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines).\n- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- We award bounties at time of validation, and will keep you posted as we work to resolve them.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Internet Explorer starting with version 10.\n\n#Payouts\nOur vulnerability-reward payouts will go up to $3,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $50.\n- Stored XSS — from $150 to $250\n- Reflected XSS — $100\n- Stored XSS with authenticated experience — up to $1,000\n- SSRF — from $300 to $1,000\n- Security misconfiguration — up to $500\n- Broken authentication — up to $1,000\n- Injection and RCE — up to $3,000\n\n# WAF\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.\n\n# Exclusions\n- advocates.semrush.com\n- actonmail.semrush.com\n- email.semrush.com\n- berush.com\n- Any other issues related to software not under SEMrush’s control \n\nWhile researching, we'd like to ask you to refrain from:\n- Denial of service\n- Spamming\n- Social engineering (including phishing) of SEMrush staff or contractors\n- Any physical attempts against SEMrush property or data centers\n- CSRF - site wide and known issue\n\nThe following bugs are unlikely to be eligible for a bounty:\n- Missing DNSSEC settings (we're working it)\n- Issues found through automated testing\n- \"Scanner output\" or scanner-generated reports\n- Attacks requiring physical access to a user's device\n- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages\n- Brute Force attacks\n- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues\n- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections\n- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)\n- SSL/TLS best practices that do not contain a fully functional proof of concept\n- Tab nabbing and window.opener-related issues\n- Vulnerabilities affecting users of outdated browsers, plugins or platforms\n- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected\n- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)\n- Bugs that do not represent any security risk - these should be reported to mail@semrush.com\n- IDN homograph attacks\n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - change api key to test auth issues not cookies. \n\nThank you for helping keep SEMrush and our users safe!\n\n#Domains:\n```\n*.semrush.com\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-11-21T09:54:32.172Z"},{"id":3563755,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Rules:\n- Automated testing is not permitted.\n- Follow HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines).\n- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- We award bounties at time of validation, and will keep you posted as we work to resolve them.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Internet Explorer starting with version 10.\n\n#Payouts\nOur vulnerability-reward payouts will go up to $2,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $50.\n- Stored XSS — from $150 to $250\n- Reflected XSS — $100\n- Stored XSS with authenticated experience — up to $1000\n- SSRF — from $300 to $1000\n- Security misconfiguration — up to $500\n- Broken authentication — up to $1000\n- Injection and RCE — up to $3000\n\n# WAF\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.\n\n# Exclusions\n- advocates.semrush.com\n- actonmail.semrush.com\n- email.semrush.com\n- berush.com\n- Any other issues related to software not under SEMrush’s control \n\nWhile researching, we'd like to ask you to refrain from:\n- Denial of service\n- Spamming\n- Social engineering (including phishing) of SEMrush staff or contractors\n- Any physical attempts against SEMrush property or data centers\n- CSRF - site wide and known issue\n\nThe following bugs are unlikely to be eligible for a bounty:\n- Missing DNSSEC settings (we're working it)\n- Issues found through automated testing\n- \"Scanner output\" or scanner-generated reports\n- Attacks requiring physical access to a user's device\n- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages\n- Brute Force attacks\n- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues\n- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections\n- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)\n- SSL/TLS best practices that do not contain a fully functional proof of concept\n- Tab nabbing and window.opener-related issues\n- Vulnerabilities affecting users of outdated browsers, plugins or platforms\n- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected\n- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)\n- Bugs that do not represent any security risk - these should be reported to mail@semrush.com\n- IDN homograph attacks\n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - change api key to test auth issues not cookies. \n\nThank you for helping keep SEMrush and our users safe!\n\n#Domains:\n```\n*.semrush.com\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-11-21T09:50:01.153Z"},{"id":3562592,"new_policy":"No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n#Program Rules:\n- Automated testing is not permitted.\n- Follow HackerOne’s [Disclosure Guidelines](https://hackerone.com/guidelines).\n- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- We award bounties at time of validation, and will keep you posted as we work to resolve them.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Internet Explorer starting with version 10.\n\n#Payouts\nOur vulnerability-reward payouts will go up to $2,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $50.\n- Stored XSS — from 150$ to 250$\n- Reflected XSS — 100$\n- Stored XSS with authenticated experience — up to 1000$\n- SSRF — from 300$ to 1000$\n- Security misconfiguration — up to 500$\n- Broken authentication — up to 1000$\n- Injection and RCE — up to 2000$\n\n# WAF\nYour requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.\n\n# Exclusions\n- advocates.semrush.com\n- actonmail.semrush.com\n- email.semrush.com\n- berush.com\n- Any other issues related to software not under SEMrush’s control \n\nWhile researching, we'd like to ask you to refrain from:\n- Denial of service\n- Spamming\n- Social engineering (including phishing) of SEMrush staff or contractors\n- Any physical attempts against SEMrush property or data centers\n- CSRF - site wide and known issue\n\nThe following bugs are unlikely to be eligible for a bounty:\n- Missing DNSSEC settings (we're working it)\n- Issues found through automated testing\n- \"Scanner output\" or scanner-generated reports\n- Attacks requiring physical access to a user's device\n- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages\n- Brute Force attacks\n- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues\n- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections\n- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)\n- SSL/TLS best practices that do not contain a fully functional proof of concept\n- Tab nabbing and window.opener-related issues\n- Vulnerabilities affecting users of outdated browsers, plugins or platforms\n- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected\n- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)\n- Bugs that do not represent any security risk - these should be reported to mail@semrush.com\n- IDN homograph attacks\n\n#API/API key related bugs\nWhen you test requests to API or with API key - be careful - change api key to test auth issues not cookies. \n\nThank you for helping keep SEMrush and our users safe!\n\n#Domains:\nMain domain:\n```\nwww.semrush.com\n```\n\n\nLanguage mirrors:\n```\nes.semrush.com\nde.semrush.com\nfr.semrush.com\nit.semrush.com\npt.semrush.com\nru.semrush.com\n```\n\nBackends and internal services:\n```\n*.backend.semrush.com\n*.live.semrush.com\n*.fullsearch.semrush.com\n*.bl.semrush.com\nblbackend.semrush.com\nbackendbl.semrush.com\nbackend-bl.semrush.com\nbackend.bl.semrush.com\nbackend-v3.bl.semrush.com\nlimit.semrush.com\nlogger-js.semrush.com\ndab.semrush.com\nmentions.semrush.com\nta.semrush.com\ntracking.semrush.com\nsmt-backend1.semrush.com\nsmt-backend2.semrush.com\nsmt-db1.semrush.com\nsmt-db2.semrush.com\nsmt-db3.semrush.com\nfeedback.semrush.com\noauth.semrush.com\nexportmanager.semrush.com\n```\n\nAPI access:\n```\napi.semrush.com\n*.api.semrush.com\n*.publicapi.semrush.com\npublicapi.semrush.com\n```\n\nOther services:\n```\ncommunity.semrush.com\ncustom.semrush.com\ngeo.semrush.com\nlandings.semrush.com\nlanding.semrush.com\nsecure.semrush.com\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-31T10:16:03.010Z"}]