[{"id":3770961,"new_policy":"# 🛡️ Superhuman (formerly Grammarly) Bug Bounty Program\n\nWelcome, Hackers 👋 \n\nWe’ve merged the **Grammarly** and **Coda** programs into a single unified program — **Superhuman (formerly Grammarly)**. \nWe’re excited to continue working with the security community to help keep our users, data, and systems secure. \n\n---\n\n## 🌍 Our Story\n\nSuperhuman builds powerful, collaborative tools that bring words, data, and teams together — from the next generation of document creation (formerly Coda) to AI-enhanced writing and productivity tools (formerly Grammarly). \n\nSecurity and privacy remain at the core of everything we build. We look forward to collaborating with researchers worldwide to identify and resolve vulnerabilities responsibly.\n\n---\n\n## 🧭 Program Scope\n\n### In Scope\n- `*.grammarly.com`\n- `*.coda.io`\n- `*.superhuman.com` (excluding Superhuman Mail — see below)\n- Browser extensions for Chrome, Safari, Firefox, and Edge \n- Desktop applications for macOS and Windows \n- Mobile apps and keyboards for Android and iOS \n\n\u003e 💡 **Note:** Vulnerabilities in the **Superhuman Mail** product are out of scope. We are working on logistics to create a new program for this.\n\n---\n\n## ⏱️ Response Targets\n\n| Stage | Target Timeframe |\n|--------|------------------|\n| Time to first response | 2 business days |\n| Time to triage | 4 business days |\n| Time to bounty (after triage) | 7 business days |\n\nWe’ll keep you updated throughout the process.\n\n---\n\n## 🧩 Rules for Researchers\n\n- Be an **ethical hacker** and follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n- Respect privacy — **only interact with test accounts** that you own. \n- Do **not** test or exploit bugs on real customer accounts. Doing so may reduce bounty awards by up to **50%**. \n- **No DoS, spam, or abuse of customer support channels** to gain attention. \n- Do **not** use leaked customer credentials. \n- We **will** pay bounties for working *employee credential leaks* when properly demonstrated. \n- If you encounter user data inadvertently, stop testing immediately, report it, and purge all local data. \n- Submit one vulnerability per report (unless chaining is needed for impact). \n- Only the **first valid report** of a vulnerability will be rewarded. \n- Multiple issues stemming from the same root cause may be combined into one bounty. \n- Social engineering (phishing, vishing, smishing, etc.) is strictly prohibited. \n- Do **not** contact us through customer support channels or email. Any attempts to establish out-of-band communication will result in the report being closed as N/A and report to HackerOne.\n\n---\n\n## 🧪 Test Accounts\n\nCreate your own test accounts to explore and validate findings.\n\n- For **Coda testing**:\n - Create a free account at [https://coda.io/welcome](https://coda.io/welcome).\n - Use a **Google** or **email+password** sign-up.\n - Append `hackeronetester` to your email (e.g., `codahackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n - Do not create more than **5 test accounts**.\n - Use only the free plan — do not use fake payment data.\n\n- For **Grammarly/Superhuman testing**:\n - Use `@wearehackerone.com` to sign up.\n - Append `hackeronetester` to your email (e.g., `grammarlyhackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n\n\n ~~Need a specific subscription level? Contact us, and we’ll provide access as needed.~~\nWe are currently **not providing** free upgrades for testing. We will update when we plan to resume; please do not create support tickets requesting a subscription or related questions about bug bounties.\n\n---\n\n## 🚫 Out of Scope\n\nWhen reporting, please consider exploitability and impact. The following are **out of scope** or **non-qualifying**:\n\n### Technical Exclusions\n- Apparent SSRF of `/api/oembedResolve` (uses Iframely)\n- Clickjacking on non-sensitive pages\n- Unauthenticated / logout / login CSRF\n- MITM or physical access–dependent attacks\n- Known vulnerable libraries without working PoC\n- CSV injection without clear exploit\n- Missing SSL/TLS, DNS, CSP, or header “best practices”\n- Content spoofing or text injection without HTML/CSS modification\n- DoS or service disruption attempts\n- Overly large payloads in docs\n- “Best practice” or theoretical issues\n\n### Business Logic \u0026 Policy Exclusions\n- Credential reuse from public dumps\n- Username/account enumeration\n- Promo/invite code or referral abuse\n- Account sharing or subscription misuse\n- Institutional or educational access code issues\n- Email verification or password complexity complaints\n\n---\n\n## 💰 Rewards\n\nWe reward based on the **impact and severity** of the vulnerability. \nFinal bounty amounts are at the discretion of the Superhuman Security Team. \n\nBounty tiers for different products:\n- Grammarly - Upto $30k\n- Superhuman - Upto $13k (Excludes Superhuman Mail)\n- Coda - Upto $3k\n\nDuplicate reports (including known internal issues) will not be rewarded. \nMultiple vulnerabilities from a single root cause may be combined into one payout.\n\n\u003e ⚑ **CTF Challenge** \n\u003e The first hacker who reports the `$FLAG` saved in document ID `1198436185` under user `h1_ctf@grammarly.com` (user_id `1411519194`) in Grammarly (Classic doc only) will earn a **$100,000 bounty**. \n\u003e If it’s in scope, the challenge remains active — no need to ask for confirmation.\n\n---\n# Legal \n\n## 🛡️ Safe Harbor\n\nWe comply with **HackerOne’s Golden Safe Harbor Standard**. \nActivities conducted in accordance with this policy will be considered authorized and exempt from legal action. \n\n[Learn more → Safe Harbor FAQ](https://docs.hackerone.com/en/articles/8494502-safe-harbor-faq)\n\n\n## Ineligible Participants\n\nFormer employees and contractors of Superhuman are ineligible for bug-bounty payments for 6 months after their employment ends.\n\n---\n\n## ✉️ Questions or Access Requests\n\nNeed additional test environments or subscriptions? \nReach us directly via your HackerOne submission or contact **security@superhuman.com**.\n\n---\n\nThank you for helping keep **Superhuman**, our users, and the broader community safe. \nWe deeply appreciate your skill, curiosity, and professionalism — together, we’re building something truly secure 🚀\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"**Welcome to Superhuman’s Bug Bounty Program! 🚀** \n\nAt **Superhuman (formerly Grammarly + Coda)**, security and privacy are at the heart of everything we build. We’re committed to protecting our users and ensuring the integrity of our platform as we bring words, data, and teams together in powerful new ways. \n\nCollaboration with the security research community is essential to that mission — your expertise helps us create safer, smarter, and more resilient products. \n\nWe’re thrilled to partner with you and truly value your insights. 🐞🔍","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}","{\"category\":\"Third-Party SaaS\",\"details\":\"Reports that identify issues within external SaaS platforms we subscribe to or use are out of scope. Since these services are managed by independent vendors, we cannot validate or triage vulnerabilities that do not affect assets directly controlled by us.\"}","{\"category\":\"Third-Party Built Packs/Agents\",\"details\":\"Our platform allows third-party developers to build custom packs and agents. Any security issues that arise within the code or logic of these third-party extensions fall outside this program’s scope. Only packs/agents explicitly developed and owned by us are eligible for triage and rewards.\"}"],"timestamp":"2026-03-12T16:03:26.078Z"},{"id":3767375,"new_policy":"# 🛡️ Superhuman (formerly Grammarly) Bug Bounty Program\n\nWelcome, Hackers 👋 \n\nWe’ve merged the **Grammarly** and **Coda** programs into a single unified program — **Superhuman (formerly Grammarly)**. \nWe’re excited to continue working with the security community to help keep our users, data, and systems secure. \n\n---\n\n## 🌍 Our Story\n\nSuperhuman builds powerful, collaborative tools that bring words, data, and teams together — from the next generation of document creation (formerly Coda) to AI-enhanced writing and productivity tools (formerly Grammarly). \n\nSecurity and privacy remain at the core of everything we build. We look forward to collaborating with researchers worldwide to identify and resolve vulnerabilities responsibly.\n\n---\n\n## 🧭 Program Scope\n\n### In Scope\n- `*.grammarly.com`\n- `*.coda.io`\n- `*.superhuman.com` (excluding Superhuman Mail — see below)\n- Browser extensions for Chrome, Safari, Firefox, and Edge \n- Desktop applications for macOS and Windows \n- Mobile apps and keyboards for Android and iOS \n\n\u003e 💡 **Note:** Vulnerabilities in the **Superhuman Mail** product are out of scope. We are working on logistics to create a new program for this.\n\n---\n\n## ⏱️ Response Targets\n\n| Stage | Target Timeframe |\n|--------|------------------|\n| Time to first response | 2 business days |\n| Time to triage | 4 business days |\n| Time to bounty (after triage) | 7 business days |\n\nWe’ll keep you updated throughout the process.\n\n---\n\n## 🧩 Rules for Researchers\n\n- Be an **ethical hacker** and follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n- Respect privacy — **only interact with test accounts** that you own. \n- Do **not** test or exploit bugs on real customer accounts. Doing so may reduce bounty awards by up to **50%**. \n- **No DoS, spam, or abuse of customer support channels** to gain attention. \n- Do **not** use leaked customer credentials. \n- We **will** pay bounties for working *employee credential leaks* when properly demonstrated. \n- If you encounter user data inadvertently, stop testing immediately, report it, and purge all local data. \n- Submit one vulnerability per report (unless chaining is needed for impact). \n- Only the **first valid report** of a vulnerability will be rewarded. \n- Multiple issues stemming from the same root cause may be combined into one bounty. \n- Social engineering (phishing, vishing, smishing, etc.) is strictly prohibited. \n- Do **not** contact us through customer support channels or email. Any attempts to establish out-of-band communication will result in the report being closed as N/A and report to HackerOne.\n\n---\n\n## 🧪 Test Accounts\n\nCreate your own test accounts to explore and validate findings.\n\n- For **Coda testing**:\n - Create a free account at [https://coda.io/welcome](https://coda.io/welcome).\n - Use a **Google** or **email+password** sign-up.\n - Append `hackeronetester` to your email (e.g., `codahackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n - Do not create more than **5 test accounts**.\n - Use only the free plan — do not use fake payment data.\n\n- For **Grammarly/Superhuman testing**:\n - Use `@wearehackerone.com` to sign up.\n - Append `hackeronetester` to your email (e.g., `grammarlyhackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n\n\n ~~Need a specific subscription level? Contact us, and we’ll provide access as needed.~~\nWe are currently **not providing** free upgrades for testing. We will update when we plan to resume; please do not create support tickets requesting a subscription or related questions about bug bounties.\n\n---\n\n## 🚫 Out of Scope\n\nWhen reporting, please consider exploitability and impact. The following are **out of scope** or **non-qualifying**:\n\n### Technical Exclusions\n- Apparent SSRF of `/api/oembedResolve` (uses Iframely)\n- Clickjacking on non-sensitive pages\n- Unauthenticated / logout / login CSRF\n- MITM or physical access–dependent attacks\n- Known vulnerable libraries without working PoC\n- CSV injection without clear exploit\n- Missing SSL/TLS, DNS, CSP, or header “best practices”\n- Content spoofing or text injection without HTML/CSS modification\n- DoS or service disruption attempts\n- Overly large payloads in docs\n- “Best practice” or theoretical issues\n\n### Business Logic \u0026 Policy Exclusions\n- Credential reuse from public dumps\n- Username/account enumeration\n- Promo/invite code or referral abuse\n- Account sharing or subscription misuse\n- Institutional or educational access code issues\n- Email verification or password complexity complaints\n\n---\n\n## 💰 Rewards\n\nWe reward based on the **impact and severity** of the vulnerability. \nFinal bounty amounts are at the discretion of the Superhuman Security Team. \n\nBounty tiers for different products:\n- Grammarly - Upto $30k\n- Superhuman - Upto $13k (Excludes Superhuman Mail)\n- Coda - Upto $3k\n\nDuplicate reports (including known internal issues) will not be rewarded. \nMultiple vulnerabilities from a single root cause may be combined into one payout.\n\n\u003e ⚑ **CTF Challenge** \n\u003e The first hacker who reports the `$FLAG` saved in document ID `1198436185` under user `h1_ctf@grammarly.com` (user_id `1411519194`) will earn a **$100,000 bounty**. \n\u003e If it’s in scope, the challenge remains active — no need to ask for confirmation.\n\n---\n# Legal \n\n## 🛡️ Safe Harbor\n\nWe comply with **HackerOne’s Golden Safe Harbor Standard**. \nActivities conducted in accordance with this policy will be considered authorized and exempt from legal action. \n\n[Learn more → Safe Harbor FAQ](https://docs.hackerone.com/en/articles/8494502-safe-harbor-faq)\n\n\n## Ineligible Participants\n\nFormer employees and contractors of Superhuman are ineligible for bug-bounty payments for 6 months after their employment ends.\n\n---\n\n## ✉️ Questions or Access Requests\n\nNeed additional test environments or subscriptions? \nReach us directly via your HackerOne submission or contact **security@superhuman.com**.\n\n---\n\nThank you for helping keep **Superhuman**, our users, and the broader community safe. \nWe deeply appreciate your skill, curiosity, and professionalism — together, we’re building something truly secure 🚀\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"**Welcome to Superhuman’s Bug Bounty Program! 🚀** \n\nAt **Superhuman (formerly Grammarly + Coda)**, security and privacy are at the heart of everything we build. We’re committed to protecting our users and ensuring the integrity of our platform as we bring words, data, and teams together in powerful new ways. \n\nCollaboration with the security research community is essential to that mission — your expertise helps us create safer, smarter, and more resilient products. \n\nWe’re thrilled to partner with you and truly value your insights. 🐞🔍","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}","{\"category\":\"Third-Party SaaS\",\"details\":\"Reports that identify issues within external SaaS platforms we subscribe to or use are out of scope. Since these services are managed by independent vendors, we cannot validate or triage vulnerabilities that do not affect assets directly controlled by us.\"}","{\"category\":\"Third-Party Built Packs/Agents\",\"details\":\"Our platform allows third-party developers to build custom packs and agents. Any security issues that arise within the code or logic of these third-party extensions fall outside this program’s scope. Only packs/agents explicitly developed and owned by us are eligible for triage and rewards.\"}"],"timestamp":"2025-12-15T11:56:17.790Z"},{"id":3767374,"new_policy":"# 🛡️ Superhuman (formerly Grammarly) Bug Bounty Program\n\nWelcome, Hackers 👋 \n\nWe’ve merged the **Grammarly** and **Coda** programs into a single unified program — **Superhuman (formerly Grammarly)**. \nWe’re excited to continue working with the security community to help keep our users, data, and systems secure. \n\n---\n\n## 🌍 Our Story\n\nSuperhuman builds powerful, collaborative tools that bring words, data, and teams together — from the next generation of document creation (formerly Coda) to AI-enhanced writing and productivity tools (formerly Grammarly). \n\nSecurity and privacy remain at the core of everything we build. We look forward to collaborating with researchers worldwide to identify and resolve vulnerabilities responsibly.\n\n---\n\n## 🧭 Program Scope\n\n### In Scope\n- `*.grammarly.com`\n- `*.coda.io`\n- `*.superhuman.com` (excluding Superhuman Mail — see below)\n- Browser extensions for Chrome, Safari, Firefox, and Edge \n- Desktop applications for macOS and Windows \n- Mobile apps and keyboards for Android and iOS \n\n\u003e 💡 **Note:** Vulnerabilities in the **Superhuman Mail** product should be reported via **VDP only** at [security@superhuman.com](mailto:security@superhuman.com).\n\n---\n\n## ⏱️ Response Targets\n\n| Stage | Target Timeframe |\n|--------|------------------|\n| Time to first response | 2 business days |\n| Time to triage | 4 business days |\n| Time to bounty (after triage) | 7 business days |\n\nWe’ll keep you updated throughout the process.\n\n---\n\n## 🧩 Rules for Researchers\n\n- Be an **ethical hacker** and follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n- Respect privacy — **only interact with test accounts** that you own. \n- Do **not** test or exploit bugs on real customer accounts. Doing so may reduce bounty awards by up to **50%**. \n- **No DoS, spam, or abuse of customer support channels** to gain attention. \n- Do **not** use leaked customer credentials. \n- We **will** pay bounties for working *employee credential leaks* when properly demonstrated. \n- If you encounter user data inadvertently, stop testing immediately, report it, and purge all local data. \n- Submit one vulnerability per report (unless chaining is needed for impact). \n- Only the **first valid report** of a vulnerability will be rewarded. \n- Multiple issues stemming from the same root cause may be combined into one bounty. \n- Social engineering (phishing, vishing, smishing, etc.) is strictly prohibited. \n- Do **not** contact us through customer support channels or email. Any attempts to establish out-of-band communication will result in the report being closed as N/A and report to HackerOne.\n\n---\n\n## 🧪 Test Accounts\n\nCreate your own test accounts to explore and validate findings.\n\n- For **Coda testing**:\n - Create a free account at [https://coda.io/welcome](https://coda.io/welcome).\n - Use a **Google** or **email+password** sign-up.\n - Append `hackeronetester` to your email (e.g., `codahackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n - Do not create more than **5 test accounts**.\n - Use only the free plan — do not use fake payment data.\n\n- For **Grammarly/Superhuman testing**:\n - Use `@wearehackerone.com` to sign up.\n - Append `hackeronetester` to your email (e.g., `grammarlyhackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n\n\n ~~Need a specific subscription level? Contact us, and we’ll provide access as needed.~~\nWe are currently **not providing** free upgrades for testing. We will update when we plan to resume; please do not create support tickets requesting a subscription or related questions about bug bounties.\n\n---\n\n## 🚫 Out of Scope\n\nWhen reporting, please consider exploitability and impact. The following are **out of scope** or **non-qualifying**:\n\n### Technical Exclusions\n- Apparent SSRF of `/api/oembedResolve` (uses Iframely)\n- Clickjacking on non-sensitive pages\n- Unauthenticated / logout / login CSRF\n- MITM or physical access–dependent attacks\n- Known vulnerable libraries without working PoC\n- CSV injection without clear exploit\n- Missing SSL/TLS, DNS, CSP, or header “best practices”\n- Content spoofing or text injection without HTML/CSS modification\n- DoS or service disruption attempts\n- Overly large payloads in docs\n- “Best practice” or theoretical issues\n\n### Business Logic \u0026 Policy Exclusions\n- Credential reuse from public dumps\n- Username/account enumeration\n- Promo/invite code or referral abuse\n- Account sharing or subscription misuse\n- Institutional or educational access code issues\n- Email verification or password complexity complaints\n\n---\n\n## 💰 Rewards\n\nWe reward based on the **impact and severity** of the vulnerability. \nFinal bounty amounts are at the discretion of the Superhuman Security Team. \n\nBounty tiers for different products:\n- Grammarly - Upto $30k\n- Superhuman - Upto $13k (Excludes Superhuman Mail)\n- Coda - Upto $3k\n\nDuplicate reports (including known internal issues) will not be rewarded. \nMultiple vulnerabilities from a single root cause may be combined into one payout.\n\n\u003e ⚑ **CTF Challenge** \n\u003e The first hacker who reports the `$FLAG` saved in document ID `1198436185` under user `h1_ctf@grammarly.com` (user_id `1411519194`) will earn a **$100,000 bounty**. \n\u003e If it’s in scope, the challenge remains active — no need to ask for confirmation.\n\n---\n# Legal \n\n## 🛡️ Safe Harbor\n\nWe comply with **HackerOne’s Golden Safe Harbor Standard**. \nActivities conducted in accordance with this policy will be considered authorized and exempt from legal action. \n\n[Learn more → Safe Harbor FAQ](https://docs.hackerone.com/en/articles/8494502-safe-harbor-faq)\n\n\n## Ineligible Participants\n\nFormer employees and contractors of Superhuman are ineligible for bug-bounty payments for 6 months after their employment ends.\n\n---\n\n## ✉️ Questions or Access Requests\n\nNeed additional test environments or subscriptions? \nReach us directly via your HackerOne submission or contact **security@superhuman.com**.\n\n---\n\nThank you for helping keep **Superhuman**, our users, and the broader community safe. \nWe deeply appreciate your skill, curiosity, and professionalism — together, we’re building something truly secure 🚀\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"**Welcome to Superhuman’s Bug Bounty Program! 🚀** \n\nAt **Superhuman (formerly Grammarly + Coda)**, security and privacy are at the heart of everything we build. We’re committed to protecting our users and ensuring the integrity of our platform as we bring words, data, and teams together in powerful new ways. \n\nCollaboration with the security research community is essential to that mission — your expertise helps us create safer, smarter, and more resilient products. \n\nWe’re thrilled to partner with you and truly value your insights. 🐞🔍","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}","{\"category\":\"Third-Party SaaS\",\"details\":\"Reports that identify issues within external SaaS platforms we subscribe to or use are out of scope. Since these services are managed by independent vendors, we cannot validate or triage vulnerabilities that do not affect assets directly controlled by us.\"}","{\"category\":\"Third-Party Built Packs/Agents\",\"details\":\"Our platform allows third-party developers to build custom packs and agents. Any security issues that arise within the code or logic of these third-party extensions fall outside this program’s scope. Only packs/agents explicitly developed and owned by us are eligible for triage and rewards.\"}"],"timestamp":"2025-12-15T11:37:40.747Z"},{"id":3767373,"new_policy":"# 🛡️ Superhuman (formerly Grammarly) Bug Bounty Program\n\nWelcome, Hackers 👋 \n\nWe’ve merged the **Grammarly** and **Coda** programs into a single unified program — **Superhuman (formerly Grammarly)**. \nWe’re excited to continue working with the security community to help keep our users, data, and systems secure. \n\n---\n\n## 🌍 Our Story\n\nSuperhuman builds powerful, collaborative tools that bring words, data, and teams together — from the next generation of document creation (formerly Coda) to AI-enhanced writing and productivity tools (formerly Grammarly). \n\nSecurity and privacy remain at the core of everything we build. We look forward to collaborating with researchers worldwide to identify and resolve vulnerabilities responsibly.\n\n---\n\n## 🧭 Program Scope\n\n### In Scope\n- `*.grammarly.com`\n- `*.coda.io`\n- `*.superhuman.com` (excluding Superhuman Mail — see below)\n- Browser extensions for Chrome, Safari, Firefox, and Edge \n- Desktop applications for macOS and Windows \n- Mobile apps and keyboards for Android and iOS \n\n\u003e 💡 **Note:** Vulnerabilities in the **Superhuman Mail** product should be reported via **VDP only** at [security@superhuman.com](mailto:security@superhuman.com).\n\n---\n\n## ⏱️ Response Targets\n\n| Stage | Target Timeframe |\n|--------|------------------|\n| Time to first response | 2 business days |\n| Time to triage | 4 business days |\n| Time to bounty (after triage) | 7 business days |\n\nWe’ll keep you updated throughout the process.\n\n---\n\n## 🧩 Rules for Researchers\n\n- Be an **ethical hacker** and follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n- Respect privacy — **only interact with test accounts** that you own. \n- Do **not** test or exploit bugs on real customer accounts. Doing so may reduce bounty awards by up to **50%**. \n- **No DoS, spam, or abuse of customer support channels** to gain attention. \n- Do **not** use leaked customer credentials. \n- We **will** pay bounties for working *employee credential leaks* when properly demonstrated. \n- If you encounter user data inadvertently, stop testing immediately, report it, and purge all local data. \n- Submit one vulnerability per report (unless chaining is needed for impact). \n- Only the **first valid report** of a vulnerability will be rewarded. \n- Multiple issues stemming from the same root cause may be combined into one bounty. \n- Social engineering (phishing, vishing, smishing, etc.) is strictly prohibited. \n- Do **not** contact us through customer support channels or email. Any attempts to establish out-of-band communication will result in the report being closed as N/A and report to HackerOne.\n\n---\n\n## 🧪 Test Accounts\n\nCreate your own test accounts to explore and validate findings.\n\n- For **Coda testing**:\n - Create a free account at [https://coda.io/welcome](https://coda.io/welcome).\n - Use a **Google** or **email+password** sign-up.\n - Append `hackeronetester` to your email (e.g., `codahackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n - Do not create more than **5 test accounts**.\n - Use only the free plan — do not use fake payment data.\n\n- For **Grammarly/Superhuman testing**:\n - Use `@wearehackerone.com` to sign up.\n - Append `hackeronetester` to your email (e.g., `grammarlyhackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n\n\n ~~Need a specific subscription level? Contact us, and we’ll provide access as needed.~~\nWe are currently **not providing** free upgrades for testing. We will update when we plan to resume; please do not create support tickets requesting a subscription or related questions about bug bounties.\n\n---\n\n## 🚫 Out of Scope\n\nWhen reporting, please consider exploitability and impact. The following are **out of scope** or **non-qualifying**:\n\n### Technical Exclusions\n- Apparent SSRF of `/api/oembedResolve` (uses Iframely)\n- Clickjacking on non-sensitive pages\n- Unauthenticated / logout / login CSRF\n- MITM or physical access–dependent attacks\n- Known vulnerable libraries without working PoC\n- CSV injection without clear exploit\n- Missing SSL/TLS, DNS, CSP, or header “best practices”\n- Content spoofing or text injection without HTML/CSS modification\n- DoS or service disruption attempts\n- Overly large payloads in docs\n- “Best practice” or theoretical issues\n\n### Business Logic \u0026 Policy Exclusions\n- Credential reuse from public dumps\n- Username/account enumeration\n- Promo/invite code or referral abuse\n- Account sharing or subscription misuse\n- Institutional or educational access code issues\n- Email verification or password complexity complaints\n\n---\n\n## 💰 Rewards\n\nWe reward based on the **impact and severity** of the vulnerability. \nFinal bounty amounts are at the discretion of the Superhuman Security Team. \n\nBounty tiers for different products:\n- Grammarly - Upto $30k\n- Superhuman - Upto $13k (Excludes Superhuman Mail)\n- Coda - Upto $3k\n\nDuplicate reports (including known internal issues) will not be rewarded. \nMultiple vulnerabilities from a single root cause may be combined into one payout.\n\n\u003e ⚑ **CTF Challenge** \n\u003e The first hacker who reports the `$FLAG` saved in document ID `1198436185` under user `h1_ctf@grammarly.com` (user_id `1411519194`) will earn a **$100,000 bounty**. \n\u003e If it’s in scope, the challenge remains active — no need to ask for confirmation.\n\n---\n# Legal \n\n## 🛡️ Safe Harbor\n\nWe comply with **HackerOne’s Golden Safe Harbor Standard**. \nActivities conducted in accordance with this policy will be considered authorized and exempt from legal action. \n\n[Learn more → Safe Harbor FAQ](https://docs.hackerone.com/en/articles/8494502-safe-harbor-faq)\n\n## Ineligible Participants\n\nFormer employees and contractors of Superhuman are ineligible for bug-bounty payments for 6 months after their employment ends.\n---\n\n## ✉️ Questions or Access Requests\n\nNeed additional test environments or subscriptions? \nReach us directly via your HackerOne submission or contact **security@superhuman.com**.\n\n---\n\nThank you for helping keep **Superhuman**, our users, and the broader community safe. \nWe deeply appreciate your skill, curiosity, and professionalism — together, we’re building something truly secure 🚀\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"**Welcome to Superhuman’s Bug Bounty Program! 🚀** \n\nAt **Superhuman (formerly Grammarly + Coda)**, security and privacy are at the heart of everything we build. We’re committed to protecting our users and ensuring the integrity of our platform as we bring words, data, and teams together in powerful new ways. \n\nCollaboration with the security research community is essential to that mission — your expertise helps us create safer, smarter, and more resilient products. \n\nWe’re thrilled to partner with you and truly value your insights. 🐞🔍","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}","{\"category\":\"Third-Party SaaS\",\"details\":\"Reports that identify issues within external SaaS platforms we subscribe to or use are out of scope. Since these services are managed by independent vendors, we cannot validate or triage vulnerabilities that do not affect assets directly controlled by us.\"}","{\"category\":\"Third-Party Built Packs/Agents\",\"details\":\"Our platform allows third-party developers to build custom packs and agents. Any security issues that arise within the code or logic of these third-party extensions fall outside this program’s scope. Only packs/agents explicitly developed and owned by us are eligible for triage and rewards.\"}"],"timestamp":"2025-12-15T11:36:45.719Z"},{"id":3767372,"new_policy":"# 🛡️ Superhuman (formerly Grammarly) Bug Bounty Program\n\nWelcome, Hackers 👋 \n\nWe’ve merged the **Grammarly** and **Coda** programs into a single unified program — **Superhuman (formerly Grammarly)**. \nWe’re excited to continue working with the security community to help keep our users, data, and systems secure. \n\n---\n\n## 🌍 Our Story\n\nSuperhuman builds powerful, collaborative tools that bring words, data, and teams together — from the next generation of document creation (formerly Coda) to AI-enhanced writing and productivity tools (formerly Grammarly). \n\nSecurity and privacy remain at the core of everything we build. We look forward to collaborating with researchers worldwide to identify and resolve vulnerabilities responsibly.\n\n---\n\n## 🧭 Program Scope\n\n### In Scope\n- `*.grammarly.com`\n- `*.coda.io`\n- `*.superhuman.com` (excluding Superhuman Mail — see below)\n- Browser extensions for Chrome, Safari, Firefox, and Edge \n- Desktop applications for macOS and Windows \n- Mobile apps and keyboards for Android and iOS \n\n\u003e 💡 **Note:** Vulnerabilities in the **Superhuman Mail** product should be reported via **VDP only** at [security@superhuman.com](mailto:security@superhuman.com).\n\n---\n\n## ⏱️ Response Targets\n\n| Stage | Target Timeframe |\n|--------|------------------|\n| Time to first response | 2 business days |\n| Time to triage | 4 business days |\n| Time to bounty (after triage) | 7 business days |\n\nWe’ll keep you updated throughout the process.\n\n---\n\n## 🧩 Rules for Researchers\n\n- Be an **ethical hacker** and follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n- Respect privacy — **only interact with test accounts** that you own. \n- Do **not** test or exploit bugs on real customer accounts. Doing so may reduce bounty awards by up to **50%**. \n- **No DoS, spam, or abuse of customer support channels** to gain attention. \n- Do **not** use leaked customer credentials. \n- We **will** pay bounties for working *employee credential leaks* when properly demonstrated. \n- If you encounter user data inadvertently, stop testing immediately, report it, and purge all local data. \n- Submit one vulnerability per report (unless chaining is needed for impact). \n- Only the **first valid report** of a vulnerability will be rewarded. \n- Multiple issues stemming from the same root cause may be combined into one bounty. \n- Social engineering (phishing, vishing, smishing, etc.) is strictly prohibited. \n- Do **not** contact us through customer support channels or email. Any attempts to establish out-of-band communication will result in the report being closed as N/A and report to HackerOne.\n\n---\n\n## 🧪 Test Accounts\n\nCreate your own test accounts to explore and validate findings.\n\n- For **Coda testing**:\n - Create a free account at [https://coda.io/welcome](https://coda.io/welcome).\n - Use a **Google** or **email+password** sign-up.\n - Append `hackeronetester` to your email (e.g., `codahackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n - Do not create more than **5 test accounts**.\n - Use only the free plan — do not use fake payment data.\n\n- For **Grammarly/Superhuman testing**:\n - Use `@wearehackerone.com` to sign up.\n - Append `hackeronetester` to your email (e.g., `grammarlyhackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n\n\n ~~Need a specific subscription level? Contact us, and we’ll provide access as needed.~~\nWe are currently **not providing** free upgrades for testing. We will update when we plan to resume; please do not create support tickets requesting a subscription or related questions about bug bounties.\n\n---\n\n## 🚫 Out of Scope\n\nWhen reporting, please consider exploitability and impact. The following are **out of scope** or **non-qualifying**:\n\n### Technical Exclusions\n- Apparent SSRF of `/api/oembedResolve` (uses Iframely)\n- Clickjacking on non-sensitive pages\n- Unauthenticated / logout / login CSRF\n- MITM or physical access–dependent attacks\n- Known vulnerable libraries without working PoC\n- CSV injection without clear exploit\n- Missing SSL/TLS, DNS, CSP, or header “best practices”\n- Content spoofing or text injection without HTML/CSS modification\n- DoS or service disruption attempts\n- Overly large payloads in docs\n- “Best practice” or theoretical issues\n\n### Business Logic \u0026 Policy Exclusions\n- Credential reuse from public dumps\n- Username/account enumeration\n- Promo/invite code or referral abuse\n- Account sharing or subscription misuse\n- Institutional or educational access code issues\n- Email verification or password complexity complaints\n\n---\n\n## 💰 Rewards\n\nWe reward based on the **impact and severity** of the vulnerability. \nFinal bounty amounts are at the discretion of the Superhuman Security Team. \n\nBounty tiers for different products:\n- Grammarly - Upto $30k\n- Superhuman - Upto $13k (Excludes Superhuman Mail)\n- Coda - Upto $3k\n\nDuplicate reports (including known internal issues) will not be rewarded. \nMultiple vulnerabilities from a single root cause may be combined into one payout.\n\n\u003e ⚑ **CTF Challenge** \n\u003e The first hacker who reports the `$FLAG` saved in document ID `1198436185` under user `h1_ctf@grammarly.com` (user_id `1411519194`) will earn a **$100,000 bounty**. \n\u003e If it’s in scope, the challenge remains active — no need to ask for confirmation.\n\n---\n# Legal \n\n## 🛡️ Safe Harbor\n\nWe comply with **HackerOne’s Golden Safe Harbor Standard**. \nActivities conducted in accordance with this policy will be considered authorized and exempt from legal action. \n\n[Learn more → Safe Harbor FAQ](https://docs.hackerone.com/en/articles/8494502-safe-harbor-faq)\n\n## Ineligible Participants\nFormer employees and contractors of Superhuman are ineligible for bug-bounty payments for 6 months after their employment ends.\n---\n\n## ✉️ Questions or Access Requests\n\nNeed additional test environments or subscriptions? \nReach us directly via your HackerOne submission or contact **security@superhuman.com**.\n\n---\n\nThank you for helping keep **Superhuman**, our users, and the broader community safe. \nWe deeply appreciate your skill, curiosity, and professionalism — together, we’re building something truly secure 🚀\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"**Welcome to Superhuman’s Bug Bounty Program! 🚀** \n\nAt **Superhuman (formerly Grammarly + Coda)**, security and privacy are at the heart of everything we build. We’re committed to protecting our users and ensuring the integrity of our platform as we bring words, data, and teams together in powerful new ways. \n\nCollaboration with the security research community is essential to that mission — your expertise helps us create safer, smarter, and more resilient products. \n\nWe’re thrilled to partner with you and truly value your insights. 🐞🔍","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}","{\"category\":\"Third-Party SaaS\",\"details\":\"Reports that identify issues within external SaaS platforms we subscribe to or use are out of scope. Since these services are managed by independent vendors, we cannot validate or triage vulnerabilities that do not affect assets directly controlled by us.\"}","{\"category\":\"Third-Party Built Packs/Agents\",\"details\":\"Our platform allows third-party developers to build custom packs and agents. Any security issues that arise within the code or logic of these third-party extensions fall outside this program’s scope. Only packs/agents explicitly developed and owned by us are eligible for triage and rewards.\"}"],"timestamp":"2025-12-15T11:36:21.486Z"},{"id":3767283,"new_policy":"# 🛡️ Superhuman (formerly Grammarly) Bug Bounty Program\n\nWelcome, Hackers 👋 \n\nWe’ve merged the **Grammarly** and **Coda** programs into a single unified program — **Superhuman (formerly Grammarly)**. \nWe’re excited to continue working with the security community to help keep our users, data, and systems secure. \n\n---\n\n## 🌍 Our Story\n\nSuperhuman builds powerful, collaborative tools that bring words, data, and teams together — from the next generation of document creation (formerly Coda) to AI-enhanced writing and productivity tools (formerly Grammarly). \n\nSecurity and privacy remain at the core of everything we build. We look forward to collaborating with researchers worldwide to identify and resolve vulnerabilities responsibly.\n\n---\n\n## 🧭 Program Scope\n\n### In Scope\n- `*.grammarly.com`\n- `*.coda.io`\n- `*.superhuman.com` (excluding Superhuman Mail — see below)\n- Browser extensions for Chrome, Safari, Firefox, and Edge \n- Desktop applications for macOS and Windows \n- Mobile apps and keyboards for Android and iOS \n\n\u003e 💡 **Note:** Vulnerabilities in the **Superhuman Mail** product should be reported via **VDP only** at [security@superhuman.com](mailto:security@superhuman.com).\n\n---\n\n## ⏱️ Response Targets\n\n| Stage | Target Timeframe |\n|--------|------------------|\n| Time to first response | 2 business days |\n| Time to triage | 4 business days |\n| Time to bounty (after triage) | 7 business days |\n\nWe’ll keep you updated throughout the process.\n\n---\n\n## 🧩 Rules for Researchers\n\n- Be an **ethical hacker** and follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n- Respect privacy — **only interact with test accounts** that you own. \n- Do **not** test or exploit bugs on real customer accounts. Doing so may reduce bounty awards by up to **50%**. \n- **No DoS, spam, or abuse of customer support channels** to gain attention. \n- Do **not** use leaked customer credentials. \n- We **will** pay bounties for working *employee credential leaks* when properly demonstrated. \n- If you encounter user data inadvertently, stop testing immediately, report it, and purge all local data. \n- Submit one vulnerability per report (unless chaining is needed for impact). \n- Only the **first valid report** of a vulnerability will be rewarded. \n- Multiple issues stemming from the same root cause may be combined into one bounty. \n- Social engineering (phishing, vishing, smishing, etc.) is strictly prohibited. \n- Do **not** contact us through customer support channels or email. Any attempts to establish out-of-band communication will result in the report being closed as N/A and report to HackerOne.\n\n---\n\n## 🧪 Test Accounts\n\nCreate your own test accounts to explore and validate findings.\n\n- For **Coda testing**:\n - Create a free account at [https://coda.io/welcome](https://coda.io/welcome).\n - Use a **Google** or **email+password** sign-up.\n - Append `hackeronetester` to your email (e.g., `codahackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n - Do not create more than **5 test accounts**.\n - Use only the free plan — do not use fake payment data.\n\n- For **Grammarly/Superhuman testing**:\n - Use `@wearehackerone.com` to sign up.\n - Append `hackeronetester` to your email (e.g., `grammarlyhackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n\n\n ~~Need a specific subscription level? Contact us, and we’ll provide access as needed.~~\nWe are currently **not providing** free upgrades for testing. We will update when we plan to resume; please do not create support tickets requesting a subscription or related questions about bug bounties.\n\n---\n\n## 🚫 Out of Scope\n\nWhen reporting, please consider exploitability and impact. The following are **out of scope** or **non-qualifying**:\n\n### Technical Exclusions\n- Apparent SSRF of `/api/oembedResolve` (uses Iframely)\n- Clickjacking on non-sensitive pages\n- Unauthenticated / logout / login CSRF\n- MITM or physical access–dependent attacks\n- Known vulnerable libraries without working PoC\n- CSV injection without clear exploit\n- Missing SSL/TLS, DNS, CSP, or header “best practices”\n- Content spoofing or text injection without HTML/CSS modification\n- DoS or service disruption attempts\n- Overly large payloads in docs\n- “Best practice” or theoretical issues\n\n### Business Logic \u0026 Policy Exclusions\n- Credential reuse from public dumps\n- Username/account enumeration\n- Promo/invite code or referral abuse\n- Account sharing or subscription misuse\n- Institutional or educational access code issues\n- Email verification or password complexity complaints\n\n---\n\n## 💰 Rewards\n\nWe reward based on the **impact and severity** of the vulnerability. \nFinal bounty amounts are at the discretion of the Superhuman Security Team. \n\nBounty tiers for different products:\n- Grammarly - Upto $30k\n- Superhuman - Upto $13k (Excludes Superhuman Mail)\n- Coda - Upto $3k\n\nDuplicate reports (including known internal issues) will not be rewarded. \nMultiple vulnerabilities from a single root cause may be combined into one payout.\n\n\u003e ⚑ **CTF Challenge** \n\u003e The first hacker who reports the `$FLAG` saved in document ID `1198436185` under user `h1_ctf@grammarly.com` (user_id `1411519194`) will earn a **$100,000 bounty**. \n\u003e If it’s in scope, the challenge remains active — no need to ask for confirmation.\n\n---\n\n## 🛡️ Safe Harbor\n\nWe comply with **HackerOne’s Golden Safe Harbor Standard**. \nActivities conducted in accordance with this policy will be considered authorized and exempt from legal action. \n\n[Learn more → Safe Harbor FAQ](https://docs.hackerone.com/en/articles/8494502-safe-harbor-faq)\n\n---\n\n## ✉️ Questions or Access Requests\n\nNeed additional test environments or subscriptions? \nReach us directly via your HackerOne submission or contact **security@superhuman.com**.\n\n---\n\nThank you for helping keep **Superhuman**, our users, and the broader community safe. \nWe deeply appreciate your skill, curiosity, and professionalism — together, we’re building something truly secure 🚀\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"**Welcome to Superhuman’s Bug Bounty Program! 🚀** \n\nAt **Superhuman (formerly Grammarly + Coda)**, security and privacy are at the heart of everything we build. We’re committed to protecting our users and ensuring the integrity of our platform as we bring words, data, and teams together in powerful new ways. \n\nCollaboration with the security research community is essential to that mission — your expertise helps us create safer, smarter, and more resilient products. \n\nWe’re thrilled to partner with you and truly value your insights. 🐞🔍","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}","{\"category\":\"Third-Party SaaS\",\"details\":\"Reports that identify issues within external SaaS platforms we subscribe to or use are out of scope. Since these services are managed by independent vendors, we cannot validate or triage vulnerabilities that do not affect assets directly controlled by us.\"}","{\"category\":\"Third-Party Built Packs/Agents\",\"details\":\"Our platform allows third-party developers to build custom packs and agents. Any security issues that arise within the code or logic of these third-party extensions fall outside this program’s scope. Only packs/agents explicitly developed and owned by us are eligible for triage and rewards.\"}"],"timestamp":"2025-12-11T12:54:15.737Z"},{"id":3766852,"new_policy":"# 🛡️ Superhuman (formerly Grammarly) Bug Bounty Program\n\nWelcome, Hackers 👋 \n\nWe’ve merged the **Grammarly** and **Coda** programs into a single unified program — **Superhuman (formerly Grammarly)**. \nWe’re excited to continue working with the security community to help keep our users, data, and systems secure. \n\n---\n\n## 🌍 Our Story\n\nSuperhuman builds powerful, collaborative tools that bring words, data, and teams together — from the next generation of document creation (formerly Coda) to AI-enhanced writing and productivity tools (formerly Grammarly). \n\nSecurity and privacy remain at the core of everything we build. We look forward to collaborating with researchers worldwide to identify and resolve vulnerabilities responsibly.\n\n---\n\n## 🧭 Program Scope\n\n### In Scope\n- `*.grammarly.com`\n- `*.coda.io`\n- `*.superhuman.com` (excluding Superhuman Mail — see below)\n- Browser extensions for Chrome, Safari, Firefox, and Edge \n- Desktop applications for macOS and Windows \n- Mobile apps and keyboards for Android and iOS \n\n\u003e 💡 **Note:** Vulnerabilities in the **Superhuman Mail** product should be reported via **VDP only** at [security@superhuman.com](mailto:security@superhuman.com).\n\n---\n\n## ⏱️ Response Targets\n\n| Stage | Target Timeframe |\n|--------|------------------|\n| Time to first response | 2 business days |\n| Time to triage | 4 business days |\n| Time to bounty (after triage) | 7 business days |\n\nWe’ll keep you updated throughout the process.\n\n---\n\n## 🧩 Rules for Researchers\n\n- Be an **ethical hacker** and follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n- Respect privacy — **only interact with test accounts** that you own. \n- Do **not** test or exploit bugs on real customer accounts. Doing so may reduce bounty awards by up to **50%**. \n- **No DoS, spam, or abuse of customer support channels** to gain attention. \n- Do **not** use leaked customer credentials. \n- We **will** pay bounties for working *employee credential leaks* when properly demonstrated. \n- If you encounter user data inadvertently, stop testing immediately, report it, and purge all local data. \n- Submit one vulnerability per report (unless chaining is needed for impact). \n- Only the **first valid report** of a vulnerability will be rewarded. \n- Multiple issues stemming from the same root cause may be combined into one bounty. \n- Social engineering (phishing, vishing, smishing, etc.) is strictly prohibited. \n\n---\n\n## 🧪 Test Accounts\n\nCreate your own test accounts to explore and validate findings.\n\n- For **Coda testing**:\n - Create a free account at [https://coda.io/welcome](https://coda.io/welcome).\n - Use a **Google** or **email+password** sign-up.\n - Append `hackeronetester` to your email (e.g., `codahackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n - Do not create more than **5 test accounts**.\n - Use only the free plan — do not use fake payment data.\n\n- For **Grammarly/Superhuman testing**:\n - Use `@wearehackerone.com` to sign up.\n - Append `hackeronetester` to your email (e.g., `grammarlyhackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n\n\n ~~Need a specific subscription level? Contact us, and we’ll provide access as needed.~~\nWe are currently **not providing** free upgrades for testing. We will update when we plan to resume; please do not create support tickets requesting a subscription or related questions about bug bounties.\n\n---\n\n## 🚫 Out of Scope\n\nWhen reporting, please consider exploitability and impact. The following are **out of scope** or **non-qualifying**:\n\n### Technical Exclusions\n- Apparent SSRF of `/api/oembedResolve` (uses Iframely)\n- Clickjacking on non-sensitive pages\n- Unauthenticated / logout / login CSRF\n- MITM or physical access–dependent attacks\n- Known vulnerable libraries without working PoC\n- CSV injection without clear exploit\n- Missing SSL/TLS, DNS, CSP, or header “best practices”\n- Content spoofing or text injection without HTML/CSS modification\n- DoS or service disruption attempts\n- Overly large payloads in docs\n- “Best practice” or theoretical issues\n\n### Business Logic \u0026 Policy Exclusions\n- Credential reuse from public dumps\n- Username/account enumeration\n- Promo/invite code or referral abuse\n- Account sharing or subscription misuse\n- Institutional or educational access code issues\n- Email verification or password complexity complaints\n\n---\n\n## 💰 Rewards\n\nWe reward based on the **impact and severity** of the vulnerability. \nFinal bounty amounts are at the discretion of the Superhuman Security Team. \n\nBounty tiers for different products:\n- Grammarly - Upto $30k\n- Superhuman - Upto $13k (Excludes Superhuman Mail)\n- Coda - Upto $3k\n\nDuplicate reports (including known internal issues) will not be rewarded. \nMultiple vulnerabilities from a single root cause may be combined into one payout.\n\n\u003e ⚑ **CTF Challenge** \n\u003e The first hacker who reports the `$FLAG` saved in document ID `1198436185` under user `h1_ctf@grammarly.com` (user_id `1411519194`) will earn a **$100,000 bounty**. \n\u003e If it’s in scope, the challenge remains active — no need to ask for confirmation.\n\n---\n\n## 🛡️ Safe Harbor\n\nWe comply with **HackerOne’s Golden Safe Harbor Standard**. \nActivities conducted in accordance with this policy will be considered authorized and exempt from legal action. \n\n[Learn more → Safe Harbor FAQ](https://docs.hackerone.com/en/articles/8494502-safe-harbor-faq)\n\n---\n\n## ✉️ Questions or Access Requests\n\nNeed additional test environments or subscriptions? \nReach us directly via your HackerOne submission or contact **security@superhuman.com**.\n\n---\n\nThank you for helping keep **Superhuman**, our users, and the broader community safe. \nWe deeply appreciate your skill, curiosity, and professionalism — together, we’re building something truly secure 🚀\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"**Welcome to Superhuman’s Bug Bounty Program! 🚀** \n\nAt **Superhuman (formerly Grammarly + Coda)**, security and privacy are at the heart of everything we build. We’re committed to protecting our users and ensuring the integrity of our platform as we bring words, data, and teams together in powerful new ways. \n\nCollaboration with the security research community is essential to that mission — your expertise helps us create safer, smarter, and more resilient products. \n\nWe’re thrilled to partner with you and truly value your insights. 🐞🔍","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}"],"timestamp":"2025-12-02T15:36:36.448Z"},{"id":3766545,"new_policy":"# 🛡️ Superhuman (formerly Grammarly) Bug Bounty Program\n\nWelcome, Hackers 👋 \n\nWe’ve merged the **Grammarly** and **Coda** programs into a single unified program — **Superhuman (formerly Grammarly)**. \nWe’re excited to continue working with the security community to help keep our users, data, and systems secure. \n\n---\n\n## 🌍 Our Story\n\nSuperhuman builds powerful, collaborative tools that bring words, data, and teams together — from the next generation of document creation (formerly Coda) to AI-enhanced writing and productivity tools (formerly Grammarly). \n\nSecurity and privacy remain at the core of everything we build. We look forward to collaborating with researchers worldwide to identify and resolve vulnerabilities responsibly.\n\n---\n\n## 🧭 Program Scope\n\n### In Scope\n- `*.grammarly.com`\n- `*.coda.io`\n- `*.superhuman.com` (excluding Superhuman Mail — see below)\n- Browser extensions for Chrome, Safari, Firefox, and Edge \n- Desktop applications for macOS and Windows \n- Mobile apps and keyboards for Android and iOS \n\n\u003e 💡 **Note:** Vulnerabilities in the **Superhuman Mail** product should be reported via **VDP only** at [security@superhuman.com](mailto:security@superhuman.com).\n\n---\n\n## ⏱️ Response Targets\n\n| Stage | Target Timeframe |\n|--------|------------------|\n| Time to first response | 2 business days |\n| Time to triage | 4 business days |\n| Time to bounty (after triage) | 7 business days |\n\nWe’ll keep you updated throughout the process.\n\n---\n\n## 🧩 Rules for Researchers\n\n- Be an **ethical hacker** and follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n- Respect privacy — **only interact with test accounts** that you own. \n- Do **not** test or exploit bugs on real customer accounts. Doing so may reduce bounty awards by up to **50%**. \n- **No DoS, spam, or abuse of customer support channels** to gain attention. \n- Do **not** use leaked customer credentials. \n- We **will** pay bounties for working *employee credential leaks* when properly demonstrated. \n- If you encounter user data inadvertently, stop testing immediately, report it, and purge all local data. \n- Submit one vulnerability per report (unless chaining is needed for impact). \n- Only the **first valid report** of a vulnerability will be rewarded. \n- Multiple issues stemming from the same root cause may be combined into one bounty. \n- Social engineering (phishing, vishing, smishing, etc.) is strictly prohibited. \n\n---\n\n## 🧪 Test Accounts\n\nCreate your own test accounts to explore and validate findings.\n\n- For **Coda testing**:\n - Create a free account at [https://coda.io/welcome](https://coda.io/welcome).\n - Use a **Google** or **email+password** sign-up.\n - Append `hackeronetester` to your email (e.g., `codahackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n - Do not create more than **5 test accounts**.\n - Use only the free plan — do not use fake payment data.\n\n- For **Grammarly/Superhuman testing**:\n - Use `@wearehackerone.com` to sign up.\n - Append `hackeronetester` to your email (e.g., `grammarlyhackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n - Need a specific subscription level? Contact us, and we’ll provide access as needed.\n\n---\n\n## 🚫 Out of Scope\n\nWhen reporting, please consider exploitability and impact. The following are **out of scope** or **non-qualifying**:\n\n### Technical Exclusions\n- Apparent SSRF of `/api/oembedResolve` (uses Iframely)\n- Clickjacking on non-sensitive pages\n- Unauthenticated / logout / login CSRF\n- MITM or physical access–dependent attacks\n- Known vulnerable libraries without working PoC\n- CSV injection without clear exploit\n- Missing SSL/TLS, DNS, CSP, or header “best practices”\n- Content spoofing or text injection without HTML/CSS modification\n- DoS or service disruption attempts\n- Overly large payloads in docs\n- “Best practice” or theoretical issues\n\n### Business Logic \u0026 Policy Exclusions\n- Credential reuse from public dumps\n- Username/account enumeration\n- Promo/invite code or referral abuse\n- Account sharing or subscription misuse\n- Institutional or educational access code issues\n- Email verification or password complexity complaints\n\n---\n\n## 💰 Rewards\n\nWe reward based on the **impact and severity** of the vulnerability. \nFinal bounty amounts are at the discretion of the Superhuman Security Team. \n\nBounty tiers for different products:\n- Grammarly - Upto $30k\n- Superhuman - Upto $13k (Excludes Superhuman Mail)\n- Coda - Upto $3k\n\nDuplicate reports (including known internal issues) will not be rewarded. \nMultiple vulnerabilities from a single root cause may be combined into one payout.\n\n\u003e ⚑ **CTF Challenge** \n\u003e The first hacker who reports the `$FLAG` saved in document ID `1198436185` under user `h1_ctf@grammarly.com` (user_id `1411519194`) will earn a **$100,000 bounty**. \n\u003e If it’s in scope, the challenge remains active — no need to ask for confirmation.\n\n---\n\n## 🛡️ Safe Harbor\n\nWe comply with **HackerOne’s Golden Safe Harbor Standard**. \nActivities conducted in accordance with this policy will be considered authorized and exempt from legal action. \n\n[Learn more → Safe Harbor FAQ](https://docs.hackerone.com/en/articles/8494502-safe-harbor-faq)\n\n---\n\n## ✉️ Questions or Access Requests\n\nNeed additional test environments or subscriptions? \nReach us directly via your HackerOne submission or contact **security@superhuman.com**.\n\n---\n\nThank you for helping keep **Superhuman**, our users, and the broader community safe. \nWe deeply appreciate your skill, curiosity, and professionalism — together, we’re building something truly secure 🚀\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"**Welcome to Superhuman’s Bug Bounty Program! 🚀** \n\nAt **Superhuman (formerly Grammarly + Coda)**, security and privacy are at the heart of everything we build. We’re committed to protecting our users and ensuring the integrity of our platform as we bring words, data, and teams together in powerful new ways. \n\nCollaboration with the security research community is essential to that mission — your expertise helps us create safer, smarter, and more resilient products. \n\nWe’re thrilled to partner with you and truly value your insights. 🐞🔍","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}"],"timestamp":"2025-11-25T11:41:39.262Z"},{"id":3766489,"new_policy":"# 🛡️ Superhuman (formerly Grammarly) Bug Bounty Program\n\nWelcome, Hackers 👋 \n\nWe’ve merged the **Grammarly** and **Coda** programs into a single unified program — **Superhuman (formerly Grammarly)**. \nWe’re excited to continue working with the security community to help keep our users, data, and systems secure. \n\n---\n\n## 🌍 Our Story\n\nSuperhuman builds powerful, collaborative tools that bring words, data, and teams together — from the next generation of document creation (formerly Coda) to AI-enhanced writing and productivity tools (formerly Grammarly). \n\nSecurity and privacy remain at the core of everything we build. We look forward to collaborating with researchers worldwide to identify and resolve vulnerabilities responsibly.\n\n---\n\n## 🧭 Program Scope\n\n### In Scope\n- `*.grammarly.com`\n- `*.coda.io`\n- `*.superhuman.com` (excluding Superhuman Mail — see below)\n- Browser extensions for Chrome, Safari, Firefox, and Edge \n- Desktop applications for macOS and Windows \n- Mobile apps and keyboards for Android and iOS \n\n\u003e 💡 **Note:** Vulnerabilities in the **Superhuman Mail** product should be reported via **VDP only** at [security@superhuman.com](mailto:security@superhuman.com).\n\n---\n\n## ⏱️ Response Targets\n\n| Stage | Target Timeframe |\n|--------|------------------|\n| Time to first response | 2 business days |\n| Time to triage | 4 business days |\n| Time to bounty (after triage) | 7 business days |\n\nWe’ll keep you updated throughout the process.\n\n---\n\n## 🧩 Rules for Researchers\n\n- Be an **ethical hacker** and follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n- Respect privacy — **only interact with test accounts** that you own. \n- Do **not** test or exploit bugs on real customer accounts. Doing so may reduce bounty awards by up to **50%**. \n- **No DoS, spam, or abuse of customer support channels** to gain attention. \n- Do **not** use leaked customer credentials. \n- We **will** pay bounties for working *employee credential leaks* when properly demonstrated. \n- If you encounter user data inadvertently, stop testing immediately, report it, and purge all local data. \n- Submit one vulnerability per report (unless chaining is needed for impact). \n- Only the **first valid report** of a vulnerability will be rewarded. \n- Multiple issues stemming from the same root cause may be combined into one bounty. \n- Social engineering (phishing, vishing, smishing, etc.) is strictly prohibited. \n\n---\n\n## 🧪 Test Accounts\n\nCreate your own test accounts to explore and validate findings.\n\n- For **Coda testing**:\n - Create a free account at [https://coda.io/welcome](https://coda.io/welcome).\n - Use a **Google** or **email+password** sign-up.\n - Append `hackeronetester` to your email (e.g., `codahackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n - Do not create more than **5 test accounts**.\n - Use only the free plan — do not use fake payment data.\n\n- For **Grammarly/Superhuman testing**:\n - Use `@wearehackerone.com` to sign up.\n - Need a specific subscription level? Contact us, and we’ll provide access as needed.\n\n---\n\n## 🚫 Out of Scope\n\nWhen reporting, please consider exploitability and impact. The following are **out of scope** or **non-qualifying**:\n\n### Technical Exclusions\n- Apparent SSRF of `/api/oembedResolve` (uses Iframely)\n- Clickjacking on non-sensitive pages\n- Unauthenticated / logout / login CSRF\n- MITM or physical access–dependent attacks\n- Known vulnerable libraries without working PoC\n- CSV injection without clear exploit\n- Missing SSL/TLS, DNS, CSP, or header “best practices”\n- Content spoofing or text injection without HTML/CSS modification\n- DoS or service disruption attempts\n- Overly large payloads in docs\n- “Best practice” or theoretical issues\n\n### Business Logic \u0026 Policy Exclusions\n- Credential reuse from public dumps\n- Username/account enumeration\n- Promo/invite code or referral abuse\n- Account sharing or subscription misuse\n- Institutional or educational access code issues\n- Email verification or password complexity complaints\n\n---\n\n## 💰 Rewards\n\nWe reward based on the **impact and severity** of the vulnerability. \nFinal bounty amounts are at the discretion of the Superhuman Security Team. \n\nDuplicate reports (including known internal issues) will not be rewarded. \nMultiple vulnerabilities from a single root cause may be combined into one payout.\n\n\u003e ⚑ **CTF Challenge** \n\u003e The first hacker who reports the `$FLAG` saved in document ID `1198436185` under user `h1_ctf@grammarly.com` (user_id `1411519194`) will earn a **$100,000 bounty**. \n\u003e If it’s in scope, the challenge remains active — no need to ask for confirmation.\n\n---\n\n## 🛡️ Safe Harbor\n\nWe comply with **HackerOne’s Golden Safe Harbor Standard**. \nActivities conducted in accordance with this policy will be considered authorized and exempt from legal action. \n\n[Learn more → Safe Harbor FAQ](https://docs.hackerone.com/en/articles/8494502-safe-harbor-faq)\n\n---\n\n## ✉️ Questions or Access Requests\n\nNeed additional test environments or subscriptions? \nReach us directly via your HackerOne submission or contact **security@superhuman.com**.\n\n---\n\nThank you for helping keep **Superhuman**, our users, and the broader community safe. \nWe deeply appreciate your skill, curiosity, and professionalism — together, we’re building something truly secure 🚀\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"**Welcome to Superhuman’s Bug Bounty Program! 🚀** \n\nAt **Superhuman (formerly Grammarly + Coda)**, security and privacy are at the heart of everything we build. We’re committed to protecting our users and ensuring the integrity of our platform as we bring words, data, and teams together in powerful new ways. \n\nCollaboration with the security research community is essential to that mission — your expertise helps us create safer, smarter, and more resilient products. \n\nWe’re thrilled to partner with you and truly value your insights. 🐞🔍","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}"],"timestamp":"2025-11-24T09:45:09.864Z"},{"id":3766488,"new_policy":"# 🛡️ Superhuman (formerly Grammarly) Bug Bounty Program\n\nWelcome, Hackers 👋 \n\nWe’ve merged the **Grammarly** and **Coda** programs into a single unified program — **Superhuman (formerly Grammarly)**. \nWe’re excited to continue working with the security community to help keep our users, data, and systems secure. \n\n---\n\n## 🌍 Our Story\n\nSuperhuman builds powerful, collaborative tools that bring words, data, and teams together — from the next generation of document creation (formerly Coda) to AI-enhanced writing and productivity tools (formerly Grammarly). \n\nSecurity and privacy remain at the core of everything we build. We look forward to collaborating with researchers worldwide to identify and resolve vulnerabilities responsibly.\n\n---\n\n## 🧭 Program Scope\n\n### In Scope\n- `*.grammarly.com`\n- `*.coda.io`\n- `*.superhuman.com` (excluding Superhuman Mail — see below)\n- Browser extensions for Chrome, Safari, Firefox, and Edge \n- Desktop applications for macOS and Windows \n- Mobile apps and keyboards for Android and iOS \n\n\u003e 💡 **Note:** Vulnerabilities in the **Superhuman Mail** product should be reported via **VDP only** at [security@superhuman.com](mailto:security@superhuman.com).\n\n---\n\n## ⏱️ Response Targets\n\n| Stage | Target Timeframe |\n|--------|------------------|\n| Time to first response | 2 business days |\n| Time to triage | 4 business days |\n| Time to bounty (after triage) | 7 business days |\n\nWe’ll keep you updated throughout the process.\n\n---\n\n## 🧩 Rules for Researchers\n\n- Be an **ethical hacker** and follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n- Respect privacy — **only interact with test accounts** that you own. \n- Do **not** test or exploit bugs on real customer accounts. Doing so may reduce bounty awards by up to **50%**. \n- **No DoS, spam, or abuse of customer support channels** to gain attention. \n- Do **not** use leaked customer credentials. \n- We **will** pay bounties for working *employee credential leaks* when properly demonstrated. \n- If you encounter user data inadvertently, stop testing immediately, report it, and purge all local data. \n- Submit one vulnerability per report (unless chaining is needed for impact). \n- Only the **first valid report** of a vulnerability will be rewarded. \n- Multiple issues stemming from the same root cause may be combined into one bounty. \n- Social engineering (phishing, vishing, smishing, etc.) is strictly prohibited. \n\n---\n\n## 🧪 Test Accounts\n\nCreate your own test accounts to explore and validate findings.\n\n- For **Coda testing**:\n - Create a free account at [https://coda.io/welcome](https://coda.io/welcome).\n - Use a **Google** or **email+password** sign-up.\n - Append `hackeronetester` to your email (e.g., `codahackeronetester@gmail.com`) if you’re not using a `@wearehackerone.com` domain.\n - Do not create more than **5 test accounts**.\n - Use only the free plan — do not use fake payment data.\n\n- For **Grammarly/Superhuman testing**:\n - Use `@wearehackerone.com` to sign up.\n - Need a specific subscription level? Contact us, and we’ll provide access as needed.\n\n---\n\n## 🚫 Out of Scope\n\nWhen reporting, please consider exploitability and impact. The following are **out of scope** or **non-qualifying**:\n\n### Technical Exclusions\n- Apparent SSRF of `/api/oembedResolve` (uses Iframely)\n- Clickjacking on non-sensitive pages\n- Unauthenticated / logout / login CSRF\n- MITM or physical access–dependent attacks\n- Known vulnerable libraries without working PoC\n- CSV injection without clear exploit\n- Missing SSL/TLS, DNS, CSP, or header “best practices”\n- Content spoofing or text injection without HTML/CSS modification\n- DoS or service disruption attempts\n- Overly large payloads in docs\n- “Best practice” or theoretical issues\n\n### Business Logic \u0026 Policy Exclusions\n- Credential reuse from public dumps\n- Username/account enumeration\n- Promo/invite code or referral abuse\n- Account sharing or subscription misuse\n- Institutional or educational access code issues\n- Email verification or password complexity complaints\n\n---\n\n## 💰 Rewards\n\nWe reward based on the **impact and severity** of the vulnerability. \nFinal bounty amounts are at the discretion of the Superhuman Security Team. \n\nDuplicate reports (including known internal issues) will not be rewarded. \nMultiple vulnerabilities from a single root cause may be combined into one payout.\n\n\u003e ⚑ **CTF Challenge** \n\u003e The first hacker who reports the `$FLAG` saved in document ID `1198436185` under user `h1_ctf@grammarly.com` (user_id `1411519194`) will earn a **$100,000 bounty**. \n\u003e If it’s in scope, the challenge remains active — no need to ask for confirmation.\n\n---\n\n## 🛡️ Safe Harbor\n\nWe comply with **HackerOne’s Golden Safe Harbor Standard**. \nActivities conducted in accordance with this policy will be considered authorized and exempt from legal action. \n\n[Learn more → Safe Harbor FAQ](https://docs.hackerone.com/en/articles/8494502-safe-harbor-faq)\n\n---\n\n## ✉️ Questions or Access Requests\n\nNeed additional test environments or subscriptions? \nReach us directly via your HackerOne submission or contact **security@superhuman.com**.\n\n---\n\nThank you for helping keep **Superhuman**, our users, and the broader community safe. \nWe deeply appreciate your skill, curiosity, and professionalism — together, we’re building something truly secure 🚀\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Grammarly’s Bug Bounty Program! 🚀\n\nAt Grammarly, we are committed to ensuring the security of our platform and the trust of our millions of users worldwide. Collaboration with the security research community is key to achieving our mission of enabling effective and secure communication.\n\nWe’re excited to work with you and deeply value your insights.🐞🔍","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}"],"timestamp":"2025-11-24T09:44:31.001Z"},{"id":3746847,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 7 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n*Note:* Failure to adhere to the program rules may result in a halved bounty or no reward, even for valid reports. Deliberate violations will lead to removal from the program and may be reported to HackerOne, potentially causing significant reputation loss.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\nNote: If it is in scope, it means we are still offering the bounty for the CTF. Please refrain from asking for confirmation.\n\n# Scope\n\n- `*.grammarly.com` - [**list of `*.grammarly.com` subdomains**](https://prod-grammarly-treasure-map.s3.us-east-1.amazonaws.com/latest.json).\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- **Browser Extensions** for Chrome, Safari, Firefox, Edge__\n- **Grammarly Desktop** – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- **Add-On for Microsoft Word and Outlook** - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- **Add-On for Microsoft Word [JS SDK]**- [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- **Mobile keyboards and applications for Android and iOS**\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\nRefer **Scope Exclusions** section on the program page\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Promo code link disclosure; duration or usage limitation issues\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe comply with HackerOne's Golden Safe Harbor Standard. Find more information below.\nhttps://docs.hackerone.com/en/articles/8494502-safe-harbor-faq\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Grammarly’s Bug Bounty Program! 🚀\n\nAt Grammarly, we are committed to ensuring the security of our platform and the trust of our millions of users worldwide. Collaboration with the security research community is key to achieving our mission of enabling effective and secure communication.\n\nWe’re excited to work with you and deeply value your insights.🐞🔍","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}"],"timestamp":"2024-12-18T14:34:14.831Z"},{"id":3736039,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n# Scope\n\n- `*.grammarly.com` - [**list of `*.grammarly.com` subdomains**](https://prod-grammarly-treasure-map.s3.us-east-1.amazonaws.com/latest.json).\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- **Browser Extensions** for Chrome, Safari, Firefox, Edge__\n- **Grammarly Desktop** – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- **Add-On for Microsoft Word and Outlook** - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- **Add-On for Microsoft Word [JS SDK]**- [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- **Mobile keyboards and applications for Android and iOS**\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\nRefer **Scope Exclusions** section on the program page\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Promo code link disclosure; duration or usage limitation issues\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe comply with HackerOne's Golden Safe Harbor Standard. Find more information below.\nhttps://docs.hackerone.com/en/articles/8494502-safe-harbor-faq\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}"],"timestamp":"2024-08-14T07:42:11.138Z"},{"id":3734820,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n# Scope\n\n- `*.grammarly.com` - [**list of `*.grammarly.com` subdomains**](https://prod-grammarly-treasure-map.s3.us-east-1.amazonaws.com/latest.json).\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- **Browser Extensions** for Chrome, Safari, Firefox, Edge__\n- **Grammarly Desktop** – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- **Add-On for Microsoft Word and Outlook** - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- **Add-On for Microsoft Word [JS SDK]**- [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- **Mobile keyboards and applications for Android and iOS**\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\nRefer **Scope Exclusions** section on the program page\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Promo code link disclosure; duration or usage limitation issues\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe comply with HackerOne's Golden Safe Harbor Standard. Find more information below.\nhttps://docs.hackerone.com/en/articles/8494502-safe-harbor-faq\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}"],"timestamp":"2024-08-01T05:44:35.449Z"},{"id":3734819,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n# Scope\n\n- `*.grammarly.com` - [**list of `*.grammarly.com` subdomains**](https://prod-grammarly-treasure-map.s3.us-east-1.amazonaws.com/latest.json).\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- **Browser Extensions** for Chrome, Safari, Firefox, Edge__\n- **Grammarly Desktop** – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- **Add-On for Microsoft Word and Outlook** - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- **Add-On for Microsoft Word [JS SDK]**- [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- **Mobile keyboards and applications for Android and iOS**\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\nRefer **Scope Exclusions** section on the program page\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Promo code link disclosure; duration or usage limitation issues\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}"],"timestamp":"2024-08-01T05:42:33.731Z"},{"id":3733594,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n# Scope\n\n- `*.grammarly.com` - [**list of `*.grammarly.com` subdomains**](https://prod-grammarly-treasure-map.s3.us-east-1.amazonaws.com/latest.json).\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- **Browser Extensions** for Chrome, Safari, Firefox, Edge__\n- **Grammarly Desktop** – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- **Add-On for Microsoft Word and Outlook** - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- **Add-On for Microsoft Word [JS SDK]**- [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- **Mobile keyboards and applications for Android and iOS**\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\nRefer **Scope Exclusions** section on the program page\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Promo code link disclosure; duration or usage limitation issues\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Social Engineering of Grammarly Employees and Users\",\"details\":\"Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\"}","{\"category\":\"Publicly Known Vulnerable Libraries Without a Working Proof of Concept\",\"details\":\"Reports concerning vulnerabilities in publicly known libraries will only be considered if accompanied by a working Proof of Concept (PoC). Without a PoC, such reports will be excluded from the scope.\"}","{\"category\":\"Stack Traces, Path Disclosure, and Directory Listings\",\"details\":\"Reports related to stack traces, path disclosures, and directory listings will be excluded from the scope unless they directly demonstrate a significant security impact.\"}","{\"category\":\"Self-XSS or User-Pasted JavaScript into the Browser Console\",\"details\":\"Reports involving Self-XSS or scenarios where users need to paste JavaScript into the browser console will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities in outdated versions of Grammarly software\",\"details\":\"Reports involving vulnerabilities found in outdated versions of Grammarly software will be excluded from the scope.\"}","{\"category\":\"Issues Relating to Non-Grammarly Products\",\"details\":\"Reports about problems found in non-Grammarly products, such as third-party integrations.\"}","{\"category\":\"Any Activity That Could Lead to the Disruption of Our Service (DoS)\",\"details\":\"Reports involving activities that could lead to the disruption of our service, including Denial of Service (DoS) attacks.\"}","{\"category\":\"Crash Dumps or Other Automated Tool Output\",\"details\":\"Reports that consist solely of crash dumps or output from automated tools without accompanying proof of concept code.\"}","{\"category\":\"Open Ports Scanning and Information Disclosure\",\"details\":\"Reports involving open ports scanning, banner grabbing, and software version disclosure issues will be excluded from the scope.\"}","{\"category\":\"MITM and Mixed Content Issues\",\"details\":\"Reports involving Man-In-The-Middle (MITM) attacks on secure connections and mixed content issues with no significant impact will be excluded from the scope.\"}","{\"category\":\"Vulnerabilities Requiring Elevated Permissions\",\"details\":\"Reports involving vulnerabilities that necessitate root-level permissions or physical access to the targeted device.\"}","{\"category\":\"Outdated User Agents and Unsupported Platforms\",\"details\":\"Reports concerning issues that only affect outdated user agents or unsupported platforms.\"}","{\"category\":\"Issues Related to the Missing Address Bar in Grammarly’s Desktop App\",\"details\":\"Reports concerning the missing address bar in Grammarly’s desktop app.\"}"],"timestamp":"2024-07-24T08:54:45.181Z"},{"id":3681858,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n# Scope\n\n- `*.grammarly.com` - [**list of `*.grammarly.com` subdomains**](https://prod-grammarly-treasure-map.s3.us-east-1.amazonaws.com/latest.json).\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- **Grammarly for Developers Text Editor SDK** - [Text editor SDK](https://developer.grammarly.com/) allows application developers to enhance their apps with writing assistant from Grammarly.\n- **Browser Extensions** for Chrome, Safari, Firefox, Edge__\n- **Grammarly Desktop** – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- **Grammarly Editor for Microsoft Windows and macOS** – Electron-powered desktop application for [macOS](https://download-editor.grammarly.com/osx/GrammarlyEditor.dmg) and [Windows](https://download-editor.grammarly.com/windows/GrammarlyEditor.exe). Only security issues with \"Network” attack vector are eligible for reporting.\n- **Add-On for Microsoft Word and Outlook** - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- **Add-On for Microsoft Word [JS SDK]**- [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- **Mobile keyboards and applications for Android and iOS**\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Promo code link disclosure; duration or usage limitation issues\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-10T17:55:04.677Z"},{"id":3679753,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n# Scope\n\n- `*.grammarly.com` - [**list of `*.grammarly.com` subdomains**](https://prod-grammarly-treasure-map.s3.us-east-1.amazonaws.com/latest.json).\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Grammarly Desktop__ – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- __Grammarly Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://download-editor.grammarly.com/osx/GrammarlyEditor.dmg) and [Windows](https://download-editor.grammarly.com/windows/GrammarlyEditor.exe). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Promo code link disclosure; duration or usage limitation issues\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-09T21:02:07.258Z"},{"id":3667827,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n# Scope\n\n- `*.grammarly.com` - [**list of `*.grammarly.com` subdomains**](https://prod-grammarly-treasure-map.s3.us-east-1.amazonaws.com/latest.json).\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Grammarly Desktop__ – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- __Grammarly Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://download-editor.grammarly.com/osx/GrammarlyEditor.dmg) and [Windows](https://download-editor.grammarly.com/windows/GrammarlyEditor.exe). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-09T16:03:42.907Z"},{"id":3665152,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n# Scope\n\n- `*.grammarly.com`\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Grammarly Desktop__ – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- __Grammarly Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://download-editor.grammarly.com/osx/GrammarlyEditor.dmg) and [Windows](https://download-editor.grammarly.com/windows/GrammarlyEditor.exe). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-26T11:38:03.127Z"},{"id":3663205,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n#Log4jRCE - $50K bounty\n\nWhile the whole world is busy hacking and patching the log4j RCE vulnerability, we would like to challenge you to find one within our scope — and will be glad to reward you with a special $50,000 bounty for that! We are pretty sure we patched 'em all but would be delighted if you proved us wrong. ;) Log4j DoS will get you a $5k reward.\n*Promo duration: until January 20.*\n\n# Scope\n\n- `*.grammarly.com`\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Grammarly Desktop__ – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- __Grammarly Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://download-editor.grammarly.com/osx/GrammarlyEditor.dmg) and [Windows](https://download-editor.grammarly.com/windows/GrammarlyEditor.exe). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-20T17:31:51.687Z"},{"id":3663204,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n#Log4jRCE - $50K bounty\n\nWhile the whole world is busy hacking and patching the log4j RCE vulnerability, we would like to challenge you to find one within our scope — and will be glad to reward you with a special $50,000 bounty for that! We are pretty sure we patched 'em all but would be delighted if you proved us wrong. ;)\nPromo duration: until January 20. Log4j DoS will get you a $5k reward.\n\n# Scope\n\n- `*.grammarly.com`\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Grammarly Desktop__ – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- __Grammarly Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://download-editor.grammarly.com/osx/GrammarlyEditor.dmg) and [Windows](https://download-editor.grammarly.com/windows/GrammarlyEditor.exe). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-20T17:29:09.297Z"},{"id":3662095,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n# Scope\n\n- `*.grammarly.com`\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Grammarly Desktop__ – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- __Grammarly Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://download-editor.grammarly.com/osx/GrammarlyEditor.dmg) and [Windows](https://download-editor.grammarly.com/windows/GrammarlyEditor.exe). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-23T16:13:39.013Z"},{"id":3662090,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n# Scope\n\n- `*.grammarly.com`\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Grammarly Desktop__ – desktop applications for [macOS](https://www.grammarly.com/desktop/mac) and [Windows](https://www.grammarly.com/desktop/windows). Windows app requires at least Windows 10 version 1903 to run.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-23T15:55:31.983Z"},{"id":3655192,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $100K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$100K bounty**.\n\n# Scope\n\n- `*.grammarly.com`\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Desktop Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n- __Grammarly Beta for Windows__ - [Windows application](https://download-windows.grammarly.com/GrammarlyInstaller.exe). This software requires Windows 10 version 1903 and higher to run.\n- __Grammarly Beta for macOS__ - [macOS application](https://download-mac.grammarly.com/Grammarly.dmg).\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-07-20T10:36:10.637Z"},{"id":3654123,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $50K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded a **$50K bounty**.\n\n# Scope\n\n- `*.grammarly.com`\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Desktop Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n- __Grammarly Beta for Windows__ - [Windows application](https://download-windows.grammarly.com/GrammarlyInstaller.exe). This software requires Windows 10 version 1903 and higher to run.\n- __Grammarly Beta for macOS__ - [macOS application](https://download-mac.grammarly.com/Grammarly.dmg).\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-30T14:01:51.415Z"},{"id":3654119,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Grammarly CTF - $50K bounty\n\nThe first hacker who reports the `$FLAG` saved in the document (`document_id: 1198436185`) of the user `h1_ctf@grammarly.com` (`user_id: 1411519194`) will be awarded with a **$50K bounty**.\n\n# Scope\n\n- `*.grammarly.com`\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Desktop Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n- __Grammarly Beta for Windows__ - [Windows application](https://download-windows.grammarly.com/GrammarlyInstaller.exe). This software requires Windows 10 version 1903 and higher to run.\n- __Grammarly Beta for macOS__ - [macOS application](https://download-mac.grammarly.com/Grammarly.dmg).\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-30T12:59:18.211Z"},{"id":3654105,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Scope\n\n- `*.grammarly.com`\n- `*.grammarly.io`\n- `*.grammarlyaws.com`\n- `*.grammarly.ai`\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Desktop Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n- __Grammarly Beta for Windows__ - [Windows application](https://download-windows.grammarly.com/GrammarlyInstaller.exe). This software requires Windows 10 version 1903 and higher to run.\n- __Grammarly Beta for macOS__ - [macOS application](https://download-mac.grammarly.com/Grammarly.dmg).\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-30T12:25:53.326Z"},{"id":3652347,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Scope\n\n## Focus Scope\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Desktop Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n- __Grammarly Beta for Windows__ - [Windows application](https://download-windows.grammarly.com/GrammarlyInstaller.exe). This software requires Windows 10 version 1903 and higher to run.\n- __Grammarly Beta for macOS__ - [macOS application](https://download-mac.grammarly.com/Grammarly.dmg).\n\n## Standard Scope\n\nAll other assets listed in the “In Scope” table.\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-17T15:40:50.469Z"},{"id":3652345,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Scope\n\n## Focus Scope\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Desktop Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n- __Grammarly Beta for Windows__ - [Windows application](https://download-windows.grammarly.com/GrammarlyInstaller.exe). This software requires Windows 10 version 1903 and higher to run. \n\n## Standard Scope\n\nAll other assets listed in the “In Scope” table.\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-17T15:25:03.981Z"},{"id":3648758,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We offer a **safe harbor (defined below) to all activities** that are consistent with this policy.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Scope\n\n## Focus Scope\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Desktop Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows, powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows, powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n- __Grammarly Beta for Windows__ - [Windows application](https://download-windows.grammarly.com/GrammarlyInstaller.exe). This software requires Windows 10 version 1903 and higher to run. \n\n## Standard Scope\n\nAll other assets listed in the “In Scope” table.\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in internet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-15T16:07:02.519Z"},{"id":3648625,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We guarantee **full Safe Harbor** to all security researchers hacking Grammarly.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Scope\n\n## Focus Scope\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Desktop Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n- __Grammarly Beta for Windows__ - [Windows application](https://download-windows.grammarly.com/GrammarlyInstaller.exe). This software requires Windows 10 version 1903 and higher to run. \n\n## Standard Scope\n\nAll other assets listed in the “In Scope” table.\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in iInternet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-11T16:00:21.862Z"},{"id":3647864,"new_policy":"Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.\n\n# Rules for us\n\n- We guarantee **full Safe Harbor** to all security researchers hacking Grammarly.\n- We respect the time and effort of our researchers.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will try to award a bounty for a successfully validated report in 3 days after the triage.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect privacy: Only interact with test Grammarly accounts you own.\n* Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.\n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) during the triage and after the successful remediation of the vulnerability.\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in reports about **the Grammarly browser extensions, Grammarly’s desktop applications, Grammarly for iOS, Grammarly for Android, Grammarly add-on for Microsoft Word and Outlook, and Grammarly for Microsoft Word**.\n\n\u003e Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__\n- __Desktop Editor for Microsoft Windows and macOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with “\"Network”\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows powered by .NET.\n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows powered by JS SDK.\n- __Mobile keyboards and applications for Android and iOS__\n\n## Standard Scope\n\nAll other assets listed in the “In Scope” table.\n\n# Rewards\n\n- We determine the value of the reward based on **the impact and severity** of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Publicly known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, and software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues.\n* Vulnerabilities that require root-level permissions or physical access to a targeted device.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Grammarly’s desktop app.\n\n## Non-qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-qualifying business issues\n\n* Institution access code enumeration or demonstrating access codes leaked in iInternet forums.\n* Credential re-usage from public dumps\n* UUID enumeration of any kind\n* Ability to determine if a username or email has a Grammarly account, also known as account oracle.\n* Signing up with multiple accounts to abuse referral code usage\n* Password length, complexity, and re-use requirements\n* Email verification feature\n* Sharing Premium accounts with other users isn’t considered a monetary impact\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of complying with this policy a.k.a. Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-20T11:39:16.120Z"},{"id":3646319,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Browser Extensions, Desktop Editor, Mobile Keyboards, Add-On for Microsoft Word and Outlook, Grammarly for Microsoft Word**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n### Native apps and clients\n\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n- __Desktop Editor for Microsoft Windows and MacOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with \"Network\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows. ​\n- __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually!\n- Reports that include proof of concept code will be more likely to be accepted.\n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, Content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Desktop Editor.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-01T12:04:04.235Z"},{"id":3644845,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## +50% bonus for bugs Grammarly browser extensions! \n\nWe're happy to announce that all reports about Grammarly browser extensions submitted until the end of November will receive a **+50% bonus** on top of the expected bounty. Totaling the maximum possible reward for browser extensions to almost $25K!\n\nPlease make sure you research the latest version of Grammarly Extension before submitting a report.\n[CRXcavator.io reports](https://crxcavator.io/report/kbfnbcaeplbcioakkpcpgfkobkghlhen/14.983.0) about Grammarly Extension might be a good starting point for your research!\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Browser Extensions, Desktop Editor, Mobile Keyboards, Add-On for Microsoft Word and Outlook, Grammarly for Microsoft Word**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n### Native apps and clients\n\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n- __Desktop Editor for Microsoft Windows and MacOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with \"Network\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows. ​\n- __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually!\n- Reports that include proof of concept code will be more likely to be accepted.\n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, Content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Desktop Editor.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-06T16:05:28.325Z"},{"id":3643083,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Browser Extensions, Desktop Editor, Mobile Keyboards, Add-On for Microsoft Word and Outlook, Grammarly for Microsoft Word**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n### Native apps and clients\n\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n- __Desktop Editor for Microsoft Windows and MacOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with \"Network\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows. ​\n- __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually!\n- Reports that include proof of concept code will be more likely to be accepted.\n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, Content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Desktop Editor.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-01T13:33:56.046Z"},{"id":3641803,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Grammarly SSO Promotion 🎉\n\nThe scope of this promotion includes any vulnerabilities related to Grammarly's SSO implementation. Any security bug in SSO implementation that impacts integrity, confidentiality, or availability is considered in-scope for this challenge.\n\nTo participate in the challenge, please create a *test Grammarly account* and **[submit this form](https://docs.google.com/forms/d/e/1FAIpQLSefz4Is-rTTA_GQyhc7TtKbNdBzIgX_1n0SzrHHBRqc787ggg/viewform)**. We’ll notify you via email once we create a test organization account associated with your email.\n\nWe’ll share more documentation on SSO API (endpoints, payloads, rate limits) during the challenge.\n\n**SSO Promotion Rewards**\n\n| Severity|Reward|Examples|\n|---------|-------|----------|\n|Low|$500| |\n|Medium|$2500|Information disclosure about organization through SSO|\n|High|$7500|Horizontal/Vertical privilege escalation via SSO inside the organization|\n|Critical|$15,000|Authentication bypass via SSO affecting any organization|\n\nAdditionally, we’ll award **+20% (incrementally)** to bounty for each next valid bug submitted by a researcher. (1st bug in SSO - 100% of reward, 2nd - 120% of bounty, 3rd - 140%, …)\n\nThe **first valid report** about SSO implementation will receive **+50%** as a bonus to the bounty amount.\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Browser Extensions, Desktop Editor, Mobile Keyboards, Add-On for Microsoft Word and Outlook, Grammarly for Microsoft Word**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n### Native apps and clients\n\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n- __Desktop Editor for Microsoft Windows and MacOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with \"Network\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows. ​\n- __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually!\n- Reports that include proof of concept code will be more likely to be accepted.\n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, Content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Desktop Editor.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-28T12:36:24.949Z"},{"id":3634658,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Browser Extensions, Desktop Editor, Mobile Keyboards, Add-On for Microsoft Word and Outlook, Grammarly for Microsoft Word**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n### Native apps and clients\n\n- __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n- __Desktop Editor for Microsoft Windows and MacOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with \"Network\" attack vector are eligible for reporting.\n- __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n- __Add-On for Microsoft Word__ - [Grammarly add-on](https://appsource.microsoft.com/en-us/product/office/WA200001011?tab=Overview) for MS Word for macOS and Windows. ​\n- __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually!\n- Reports that include proof of concept code will be more likely to be accepted.\n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, Content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Desktop Editor.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-06T14:39:17.278Z"},{"id":3633528,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Browser Extensions, Desktop Editor, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editor for Microsoft Windows and MacOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with \"Network\" attack vector are eligible for reporting.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually!\n- Reports that include proof of concept code will be more likely to be accepted.\n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, Content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Desktop Editor.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-20T14:22:47.225Z"},{"id":3629748,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Browser Extensions, Desktop Editor, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://hackerone.com/googleplay). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://hackerone.com/googleplay).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editor for Microsoft Windows and MacOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only security issues with \"Network\" attack vector are eligible for reporting.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually!\n- Reports that include proof of concept code will be more likely to be accepted.\n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, Content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Desktop Editor.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-04T11:02:17.592Z"},{"id":3629681,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Browser Extensions, Desktop Editor, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://hackerone.com/googleplay). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://hackerone.com/googleplay).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editor for Microsoft Windows and MacOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only **remotely exploitable** issues in Desktop Editor are eligible for reporting.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually!\n- Reports that include proof of concept code will be more likely to be accepted.\n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, Content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Desktop Editor.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-03T12:53:52.878Z"},{"id":3629678,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Tier 1\n\nGrammarly is particularly interested in testing our **Browser Extensions, Desktop Editor, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://hackerone.com/googleplay). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://hackerone.com/googleplay).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editor for Microsoft Windows and MacOS__ – Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows). Only **remotely exploitable** issues in Desktop Editor are eligible for reporting.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Tier 2\n\nAll other assets listed in our “In Scope” table.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually!\n- Reports that include proof of concept code will be more likely to be accepted.\n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, Content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Desktop Editor.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-03T12:48:50.316Z"},{"id":3620809,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://hackerone.com/googleplay). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://hackerone.com/googleplay).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows).\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually!\n- Reports that include proof of concept code will be more likely to be accepted.\n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, Content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Desktop Editor.\n* Only **remotely exploitable** issues in Desktop Editor are eligible for reporting.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-09T01:51:14.120Z"},{"id":3620808,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://hackerone.com/googleplay). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://hackerone.com/googleplay).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows).\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually!\n- Reports that include proof of concept code will be more likely to be accepted.\n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, Content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Desktop Editor.\n* Only **remotely exploitable** issues in Desktop Editor are eligible for reporting.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-09T01:45:38.892Z"},{"id":3620807,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://hackerone.com/googleplay). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://hackerone.com/googleplay).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows).\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually!\n- Reports that include proof of concept code will be more likely to be accepted.\n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking, CSRF, Content spoofing issues without demonstrable security impact.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to non-Grammarly products.\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n* Issues that affect only outdated user agents or unsupported platforms.\n* Issues related to the missing address bar in Desktop Editor.\n* Only **remotely exploitable** issues in Desktop Editor are eligible for reporting.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-09T00:56:30.345Z"},{"id":3618039,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://hackerone.com/googleplay). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://hackerone.com/googleplay).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n- Reports that include proof of concept code will be more likely to be accepted.\n- Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-04T12:31:26.456Z"},{"id":3617828,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://hackerone.com/googleplay). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://hackerone.com/googleplay).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n- Reports that include proof of concept code will be more likely to be accepted.\n- Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-02T08:23:18.442Z"},{"id":3617341,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0​\n\n\n# Scope\n\n## MFA Promotion\n\nThe promotion will run until **September 1**.\n\nThe scope of this promotion includes any vulnerabilities related to Grammarly's MFA implementation. Any security bug that allows a bypass of MFA checks or impacts MFA backup codes, MFA settings, or MFA code validation is considered in-scope for this promotion.\n\nYou can find documentation for our MFA implementation (REST API, rate limits, known limitations) [here](https://docs.google.com/document/d/1WEQo6gWDGvrbfrxmpu4eywq-o_InpZupmNnRw7TX0sQ/edit#).\n\n| Severity| Reward| Examples|\n|-------- |--------|---------|\n| Low| $500| |\n| Medium| $2500||\n| High| $7500| Issuing of backup codes on behalf of a particular user, bypassing MFA-protection for sensitive actions like a password or email change|\n| Critical |$10,000| Issuing of backup codes on behalf of an arbitrary user or another severe MFA bypass|\n \n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://hackerone.com/googleplay). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://hackerone.com/googleplay).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n- Reports that include proof of concept code will be more likely to be accepted.\n- Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-27T17:21:09.483Z"},{"id":3615288,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0​\n\n\n# Scope\n\n## MFA Promotion\n\nThe promotion will run until **September 1**.\n\nThe scope of this promotion includes any vulnerabilities related to Grammarly's MFA implementation. Any security bug that allows a bypass of MFA checks or impacts MFA backup codes, MFA settings, or MFA code validation is considered in-scope for this promotion.\n\nYou can find documentation for our MFA implementation (REST API, rate limits, known limitations) [here](https://docs.google.com/document/d/1WEQo6gWDGvrbfrxmpu4eywq-o_InpZupmNnRw7TX0sQ/edit#).\nTo participate in the promotion, please [submit this form](https://docs.google.com/forms/d/189-0ev6F5amB1TLyETh91aGv5wv5dvm08C2JTsaXZ5E/viewform). We’ll notify you via email once the MFA experiment is enabled for your account.\n\n| Severity| Reward| Examples|\n|-------- |--------|---------|\n| Low| $500| |\n| Medium| $2500||\n| High| $7500| Issuing of backup codes on behalf of a particular user, bypassing MFA-protection for sensitive actions like a password or email change|\n| Critical |$10,000| Issuing of backup codes on behalf of an arbitrary user or another severe MFA bypass|\n \n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://hackerone.com/googleplay). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://hackerone.com/googleplay).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n- Reports that include proof of concept code will be more likely to be accepted.\n- Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-31T19:57:16.882Z"},{"id":3615280,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0​\n\n\n# Scope\n\n## MFA Challenge\n\nThe challenge will run until **September 1**.\n\nThe scope of this challenge includes any vulnerabilities related to Grammarly's MFA implementation. Any security bug that allows a bypass of MFA checks or impacts MFA backup codes, MFA settings, or MFA code validation is considered in-scope for this challenge.\n\nYou can find documentation for our MFA implementation (REST API, rate limits, known limitations) [here](https://docs.google.com/document/d/1WEQo6gWDGvrbfrxmpu4eywq-o_InpZupmNnRw7TX0sQ/edit#).\nTo participate in the challenge, please [submit this form](https://docs.google.com/forms/d/189-0ev6F5amB1TLyETh91aGv5wv5dvm08C2JTsaXZ5E/viewform). We’ll notify you via email once the MFA experiment is enabled for your account.\n\n| Severity| Reward| Examples|\n|-------- |--------|---------|\n| Low| $500| |\n| Medium| $2500||\n| High| $7500| Issuing of backup codes on behalf of a particular user, bypassing MFA-protection for sensitive actions like a password or email change|\n| Critical |$10,000| Issuing of backup codes on behalf of an arbitrary user or another severe MFA bypass|\n \n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://hackerone.com/googleplay). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://hackerone.com/googleplay).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n- Reports that include proof of concept code will be more likely to be accepted.\n- Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-31T18:11:30.491Z"},{"id":3614276,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0​\n\n\n# Scope\n\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n \nVulnerabilities in Grammarly Mobile Keyboard for Android with a working proof of concept may qualify for an additional bounty through the [Google Play Security Rewards Program](https://hackerone.com/googleplay). To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s [Vulnerability Criteria](https://hackerone.com/googleplay).\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n- Reports that include proof of concept code will be more likely to be accepted.\n- Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-18T19:09:40.377Z"},{"id":3613089,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0​\n\n\n# Scope\n\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n- Reports that include proof of concept code will be more likely to be accepted.\n- Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-01T15:58:05.123Z"},{"id":3613086,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n​\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**.\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n- Reports that include proof of concept code will be more likely to be accepted.\n- Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-01T15:57:04.903Z"},{"id":3611738,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n​\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook*.\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and clients statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n- Reports that include proof of concept code will be more likely to be accepted.\n- Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n​\n\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-12T11:46:17.932Z"},{"id":3611164,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n​\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook*.\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and platforms statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n- Reports that include proof of concept code will be more likely to be accepted.\n- Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n​\nThank you for helping keep Grammarly and our users safe!\n​\n\n## Consequences of Complying with This Policy aka Safe Harbor\n\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-04T12:07:03.590Z"},{"id":3611163,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n​\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook*.\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and platforms statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n​\n## Recommendations for reporting\n\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n- Reports that include proof of concept code will be more likely to be accepted.\n- Include how you found the bug, the impact, and any potential remediation. \n​\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n​\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n​\n## Common vulnerabilities excluded from the scope:\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted mobile device are out of scope.\n​\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n​\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n​\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-04T11:51:16.751Z"},{"id":3611162,"new_policy":" Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n​\n# Rules for us\n​\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n​\n# Rules for you\n​\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n​\n# Scope\n​\n## Focus Scope\n​\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**\n​\n### Native apps and clients\n​\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n​\n\n## Standard Scope\n​\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n​\n### Exclusions from the scope:\n​\n- `anagram.grammarly.io` - out of scope.\n​\n### Note about `grammarly.ai`\n​\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n​\n### Note about `Office Add-In`\n​\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n​\n# Rewards\n​\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and platforms statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n​\n## Recommendations for reporting\n​\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n* Reports that include proof of concept code will be more likely to be accepted.\n* Include how you found the bug, the impact, and any potential remediation. \n​\n## Public disclosure\n​\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n​\n# Non-Qualifying Vulnerabilities\n​\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n​\n## Common vulnerabilities excluded from the scope:\n​\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted mobile device are out of scope.\n​\n## Non-Qualifying best practices\n​\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n​\n## Non-Qualifying (business) issues\n​\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n​\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-04T11:44:59.020Z"},{"id":3611161,"new_policy":" Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n​\n# Rules for us\n​\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n​\n# Rules for you\n​\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n​\n# Scope\n​\n## Focus Scope\n​\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**\n​\n### Native apps and clients\n​\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n​\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n​\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n​\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n​\n## Standard Scope\n​\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n​\n### Exclusions from the scope:\n​\n- `anagram.grammarly.io` - out of scope.\n​\n### Note about `grammarly.ai`\n​\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n​\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n​\n### Note about `Office Add-In`\n​\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n​\n# Rewards\n​\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and platforms statistics.\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n​\n## Recommendations for reporting\n​\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n* Reports that include proof of concept code will be more likely to be accepted.\n* Include how you found the bug, the impact, and any potential remediation. \n​\n## Public disclosure\n​\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n​\n# Non-Qualifying Vulnerabilities\n​\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n​\n## Common vulnerabilities excluded from the scope:\n​\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android \u003e 5.0) and iOS versions (iOS \u003e 10).\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level or physical access on a targeted mobile device are out of scope.\n​\n## Non-Qualifying best practices\n​\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n​\n## Non-Qualifying (business) issues\n​\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n​\nThank you for helping keep Grammarly and our users safe!\n​\n## Consequences of Complying with This Policy aka Safe Harbor\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n​\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n​\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-04T11:44:19.466Z"},{"id":3609223,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n* __WAF__* - bugs leading to **direct bypass** of our firewall are eligible for focus scope bounty. Bugs that rely on hijacking cookies of our employees or using our employees' devices as proxy don’t fall into this category.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and platforms statistics.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n### \"Hacker-friendly\" program\n\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- Unusual bugs, tricks, or bypasses might be extra rewarded.\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n\n## Recommendations for reporting\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n* Reports that include proof of concept code will be more likely to be accepted.\n* Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope:\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or app versions. We only consider exploits in the latest browser versions for Safari, Firefox, Chrome, Edge, IE and the versions of our applications that are currently in the app stores.\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring physical access to a user's device.\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* **Open redirect** vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain are out of scope.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of Complying with This Policy aka Safe Harbor\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n\n# A note from our internal security team\n\n## Things we do like:\n\n- Rewarding talented researchers with huge bounties.\n- Extra-rewarding researchers for multiple \"Medium\"/\"High\" security issues.\n- Easily reproducible PoCs (e.g., with curl).\n- Clear \"Impact\" section in your reports.\n\n## Things we don't like:\n\n- Speculative researchers and speculative reports.\n- Violations of program rules.\n- Theoretically exploitable issues without clear proofs of exploitability.\n- Unethical hacking: saving/modifying/selling our data intentionally.\n- Copy-pasted reports from the “public disclosure” section on HackerOne.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-10T10:23:59.042Z"},{"id":3607242,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n* __WAF__* - bugs leading to **direct bypass** of our firewall are eligible for focus scope bounty. Bugs that rely on hijacking cookies of our employees or using our employees' devices as proxy don’t fall into this category.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n- `food.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\n\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and platforms statistics.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n### \"Hacker-friendly\" program\n\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- Unusual bugs, tricks, or bypasses might be extra rewarded.\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n- We will increase the rewards for eligible reports if they are submitted in the form of **`curl`** or **[puppeteer](https://pptr.dev)** scripts **automating exploitation of the vulnerability** (i.e., exploit) and contributed under the **MIT license**, which must be attached to the script. To be eligible for a bonus, your exploit must be attached before the bug is fixed. \n\n## Recommendations for reporting\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n* Reports that include proof of concept code will be more likely to be accepted.\n* Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope:\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or app versions. We only consider exploits in the latest browser versions for Safari, Firefox, Chrome, Edge, IE and the versions of our applications that are currently in the app stores.\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring physical access to a user's device.\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* **Open redirect** vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain are out of scope.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of Complying with This Policy aka Safe Harbor\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n\n# A note from our internal security team\n\n## Things we do like:\n\n- Rewarding talented researchers with huge bounties.\n- Extra-rewarding researchers for multiple \"Medium\"/\"High\" security issues.\n- Easily reproducible PoCs (e.g., with curl).\n- Clear Impact section in your reports.\n\n## Things we don't like:\n\n- Speculative researchers and speculative reports.\n- Violations of program rules.\n- Theoretically exploitable issues without clear proofs of exploitability.\n- Unethical hacking: saving/modifying/selling our data intentionally.\n- Copy-pasted reports from the “public disclosure” section on HackerOne.\n\n## Where to start?\n\n- The Office Add-in is a particularly interesting target.\n- We especially like reports about our browser extensions.\n- We have good CSRF protection.\n- We are waiting for your XXE reports (don't forget a PoC).\n- Our Electron app is already hardened with `contextIsolation` and `nodeintegration`\n- WAF is a great target for experienced web hackers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-04-09T16:53:51.368Z"},{"id":3607145,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n* __WAF__* - bugs leading to **direct bypass** of our firewall are eligible for focus scope bounty. Bugs that rely on hijacking cookies of our employees or using our employees' devices as proxy don’t fall into this category.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and platforms statistics.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n### \"Hacker-friendly\" program\n\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- Unusual bugs, tricks, or bypasses might be extra rewarded.\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n- We will increase the rewards for eligible reports if they are submitted in the form of **`curl`** or **[puppeteer](https://pptr.dev)** scripts **automating exploitation of the vulnerability** (i.e., exploit) and contributed under the **MIT license**, which must be attached to the script. To be eligible for a bonus, your exploit must be attached before the bug is fixed. \n\n## Recommendations for reporting\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n* Reports that include proof of concept code will be more likely to be accepted.\n* Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope:\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or app versions. We only consider exploits in the latest browser versions for Safari, Firefox, Chrome, Edge, IE and the versions of our applications that are currently in the app stores.\n* DLL hijacking vulnerability in Desktop Editor reproducible on deprecated platforms(e.g., Windows 7).\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring physical access to a user's device.\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* **Open redirect** vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain are out of scope.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of Complying with This Policy aka Safe Harbor\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n\n# A note from our internal security team\n\n## Things we do like:\n\n- Rewarding talented researchers with huge bounties.\n- Extra-rewarding researchers for multiple \"Medium\"/\"High\" security issues.\n- Easily reproducible PoCs (e.g., with curl).\n- Clear Impact section in your reports.\n\n## Things we don't like:\n\n- Speculative researchers and speculative reports.\n- Violations of program rules.\n- Theoretically exploitable issues without clear proofs of exploitability.\n- Unethical hacking: saving/modifying/selling our data intentionally.\n- Copy-pasted reports from the “public disclosure” section on HackerOne.\n\n## Where to start?\n\n- The Office Add-in is a particularly interesting target.\n- We especially like reports about our browser extensions.\n- We have good CSRF protection.\n- We are waiting for your XXE reports (don't forget a PoC).\n- Our Electron app is already hardened with `contextIsolation` and `nodeintegration`\n- WAF is a great target for experienced web hackers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-04-08T14:30:39.838Z"},{"id":3601657,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n* __WAF__* - bugs leading to **direct bypass** of our firewall are eligible for focus scope bounty. Bugs that rely on hijacking cookies of our employees or using our employees' devices as proxy don’t fall into this category.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and platforms statistics.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n### \"Hacker-friendly\" program\n\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- Unusual bugs, tricks, or bypasses might be extra rewarded.\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n- We will increase the rewards for eligible reports if they are submitted in the form of **`curl`** or **[puppeteer](https://pptr.dev)** scripts **automating exploitation of the vulnerability** (i.e., exploit) and contributed under the **MIT license**, which must be attached to the script. To be eligible for a bonus, your exploit must be attached before the bug is fixed. \n\n## Recommendations for reporting\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n* Reports that include proof of concept code will be more likely to be accepted.\n* Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope:\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or app versions. We only consider exploits in the latest browser versions for Safari, Firefox, Chrome, Edge, IE and the versions of our applications that are currently in the app stores.\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring physical access to a user's device.\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* **Open redirect** vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain are out of scope.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of Complying with This Policy aka Safe Harbor\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n\n# A note from our internal security team\n\n## Things we do like:\n\n- Rewarding talented researchers with huge bounties.\n- Extra-rewarding researchers for multiple \"Medium\"/\"High\" security issues.\n- Easily reproducible PoCs (e.g., with curl).\n- Clear Impact section in your reports.\n\n## Things we don't like:\n\n- Speculative researchers and speculative reports.\n- Violations of program rules.\n- Theoretically exploitable issues without clear proofs of exploitability.\n- Unethical hacking: saving/modifying/selling our data intentionally.\n- Copy-pasted reports from the “public disclosure” section on HackerOne.\n\n## Where to start?\n\n- The Office Add-in is a particularly interesting target.\n- We especially like reports about our browser extensions.\n- We have good CSRF protection.\n- We are waiting for your XXE reports (don't forget a PoC).\n- Our Electron app is already hardened with `contextIsolation` and `nodeintegration`\n- WAF is a great target for experienced web hackers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-30T15:21:17.899Z"},{"id":3601654,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n* __WAF__* - bugs leading to **direct bypass** of our firewall are eligible for focus scope bounty. Bugs that rely on hijacking cookies of our employees or using our employees' devices as proxy don’t fall into this category.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `dapi.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `subscription.grammarly.com`\n- `institution.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and platforms statistics.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n### \"Hacker-friendly\" program\n\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- Unusual bugs, tricks, or bypasses might be extra rewarded.\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n- We will increase the rewards for eligible reports if they are submitted in the form of **`curl`** or **[puppeteer](https://pptr.dev)** scripts **automating exploitation of the vulnerability** (i.e., exploit) and contributed under the **MIT license**, which must be attached to the script. To be eligible for a bonus, your exploit must be attached before the bug is fixed. \n\n## Recommendations for reporting\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n* Reports that include proof of concept code will be more likely to be accepted.\n* Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope:\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or app versions. We only consider exploits in the latest browser versions for Safari, Firefox, Chrome, Edge, IE and the versions of our applications that are currently in the app stores.\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring physical access to a user's device.\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* **Open redirect** vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain are out of scope.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of Complying with This Policy aka Safe Harbor\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n\n# A note from our internal security team\n\n## Things we do like:\n\n- Rewarding talented researchers with huge bounties.\n- Extra-rewarding researchers for multiple \"Medium\"/\"High\" security issues.\n- Easily reproducible PoCs (e.g., with curl).\n- Clear Impact section in your reports.\n\n## Things we don't like:\n\n- Speculative researchers and speculative reports.\n- Violations of program rules.\n- Theoretically exploitable issues without clear proofs of exploitability.\n- Unethical hacking: saving/modifying/selling our data intentionally.\n- Copy-pasted reports from the “public disclosure” section on HackerOne.\n\n## Where to start?\n\n- The Office Add-in is a particularly interesting target.\n- We especially like reports about our browser extensions.\n- We have good CSRF protection.\n- We are waiting for your XXE reports (don't forget a PoC).\n- Our Electron app is already hardened with `contextIsolation` and `nodeintegration`\n- WAF is a great target for experienced web hackers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-30T15:00:36.104Z"},{"id":3600699,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n* __WAF__* - bugs leading to **direct bypass** of our firewall are eligible for focus scope bounty. Bugs that rely on hijacking cookies of our employees or using our employees' devices as proxy don’t fall into this category.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `dapi.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `datareport.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and platforms statistics.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n### \"Hacker-friendly\" program\n\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- Unusual bugs, tricks, or bypasses might be extra rewarded.\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n- We will increase the rewards for eligible reports if they are submitted in the form of **`curl`** or **[puppeteer](https://pptr.dev)** scripts **automating exploitation of the vulnerability** (i.e., exploit) and contributed under the **MIT license**, which must be attached to the script. To be eligible for a bonus, your exploit must be attached before the bug is fixed. \n\n## Recommendations for reporting\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n* Reports that include proof of concept code will be more likely to be accepted.\n* Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope:\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or app versions. We only consider exploits in the latest browser versions for Safari, Firefox, Chrome, Edge, IE and the versions of our applications that are currently in the app stores.\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring physical access to a user's device.\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* **Open redirect** vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain are out of scope.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of Complying with This Policy aka Safe Harbor\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n\n# A note from our internal security team\n\n## Things we do like:\n\n- Rewarding talented researchers with huge bounties.\n- Extra-rewarding researchers for multiple \"Medium\"/\"High\" security issues.\n- Easily reproducible PoCs (e.g., with curl).\n- Clear Impact section in your reports.\n\n## Things we don't like:\n\n- Speculative researchers and speculative reports.\n- Violations of program rules.\n- Theoretically exploitable issues without clear proofs of exploitability.\n- Unethical hacking: saving/modifying/selling our data intentionally.\n- Copy-pasted reports from the “public disclosure” section on HackerOne.\n\n## Where to start?\n\n- The Office Add-in is a particularly interesting target.\n- We especially like reports about our browser extensions.\n- We have good CSRF protection.\n- We are waiting for your XXE reports (don't forget a PoC).\n- Our Electron app is already hardened with `contextIsolation` and `nodeintegration`\n- WAF is a great target for experienced web hackers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-17T11:15:54.021Z"},{"id":3600439,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows. \n\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n* __WAF__* - bugs leading to **direct bypass** of our firewall are eligible for focus scope bounty. Bugs that rely on hijacking cookies of our employees or using our employees' devices as proxy don’t fall into this category.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `dapi.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n### Note about `Office Add-In`\nVulnerabilities are eligible for submission if they’re reproducible on **any version of** Word/Outlook on Windows 7/10 with **all latest security patches applied**. The vulnerability should be tested on a system without additional SDKs and development kits. We cover your expenses (1 month) on a Word/Outlook license if the report appears being valid.\n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and platforms statistics.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n### \"Hacker-friendly\" program\n\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- Unusual bugs, tricks, or bypasses might be extra rewarded.\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n- We will increase the rewards for eligible reports if they are submitted in the form of **`curl`** or **[puppeteer](https://pptr.dev)** scripts **automating exploitation of the vulnerability** (i.e., exploit) and contributed under the **MIT license**, which must be attached to the script. To be eligible for a bonus, your exploit must be attached before the bug is fixed. \n\n## Recommendations for reporting\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n* Reports that include proof of concept code will be more likely to be accepted.\n* Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope:\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or app versions. We only consider exploits in the latest browser versions for Safari, Firefox, Chrome, Edge, IE and the versions of our applications that are currently in the app stores.\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring physical access to a user's device.\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* **Open redirect** vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain are out of scope.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n* Vulnerabilities that require root-level access on a targeted mobile device are out of scope.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of Complying with This Policy aka Safe Harbor\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n\n# A note from our internal security team\n\n## Things we do like:\n\n- Rewarding talented researchers with huge bounties.\n- Extra-rewarding researchers for multiple \"Medium\"/\"High\" security issues.\n- Easily reproducible PoCs (e.g., with curl).\n- Clear Impact section in your reports.\n\n## Things we don't like:\n\n- Speculative researchers and speculative reports.\n- Violations of program rules.\n- Theoretically exploitable issues without clear proofs of exploitability.\n- Unethical hacking: saving/modifying/selling our data intentionally.\n- Copy-pasted reports from the “public disclosure” section on HackerOne.\n\n## Where to start?\n\n- The Office Add-in is a particularly interesting target.\n- We especially like reports about our browser extensions.\n- We have good CSRF protection.\n- We are waiting for your XXE reports (don't forget a PoC).\n- Our Electron app is already hardened with `contextIsolation` and `nodeintegration`\n- WAF is a great target for experienced web hackers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-14T15:07:58.149Z"},{"id":3597649,"new_policy":"Security and privacy is a core concept for Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Rules for us\n\n- We respect the time and effort of our researchers.\n- We will respond **within 3 business days**.\n- We will try to make a bounty determination **after validating** a legitimate security issue **within 10 business days**.\n- We will not take legal action against you for playing by these rules.\n- We will do our best to keep you informed about our progress throughout the process.\n- We will not respond to threats or negotiate under duress.\n\n# Rules for you\n\n* Be an ethical hacker.\n* Respect other users’ privacy: only interact with Grammarly accounts you own or with the explicit permission of the account holder.\n* Make a good-faith effort to avoid testing that would result in privacy violations, destruction of data or interruption or degradation of our service.\n* Let us know as soon as possible upon discovery of a potential security issue.\n* Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Grammarly. \n* Follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.\n* We accept reports from hackers with a Signal higher than 1.0\n\n# Scope\n\n## Focus Scope\n\nGrammarly is particularly interested in testing our **Native apps and clients, Desktop Editors, Mobile Keyboards, Add-On for Microsoft Word and Outlook**\n\n### Native apps and clients\n\n* __Browser Extensions for Chrome, Safari, Firefox, Edge__ - A browser extension that's compatible with the supported versions of Chrome, Safari, Firefox, and Edge.\n\n* __Desktop Editors for Microsoft Windows and MacOS__ – our Electron-powered desktop application for [macOS](https://www.grammarly.com/native/mac) and [Windows](https://www.grammarly.com/native/windows) where users can write and manage their documents as well as configure account settings.\n\n* __Add-On for Microsoft Word and Outlook__ - [Grammarly add-on](https://www.grammarly.com/office-addin/windows) for MS Word and Outlook for Windows.\n\n* __Mobile keyboards and applications for Android and iOS__ – our mobile apps and keyboards.\n\n* __WAF__* - bugs leading to **direct bypass** of our firewall are eligible for focus scope bounty. Bugs that rely on hijacking cookies of our employees or using our employees' devices as proxy don’t fall into this category.\n\n## Standard Scope\n\nAll other assets listed in our “In Scope” table:\n- `capi.grammarly.com`\n- `data.grammarly.com`\n- `felog.grammarly.com`\n- `gnar.grammarly.com`\n- `dapi.grammarly.com`\n- `app.grammarly.com`\n- `admin-panel.grammarly.com`\n- `irbis.grammarly.com`\n- `www.grammarly.com`\n- `dox.grammarly.com`\n- `auth.grammarly.com`\n- `proofit.com` and `*.proofit.com`\n- `grammarly.net` and `*.grammarly.net`\n- `grammarly.io` and `*.grammarly.io`\n\n### Exclusions from the scope:\n\n- `anagram.grammarly.io` - out of scope.\n\n### Note about `grammarly.ai`\n\nWe’re already aware of certain issues found in `grammarly.ai`.\n\u003e This service doesn't handle, store or transfer any internal data or data of our users. Additionally, it is located in a separate VPC and isn't part of our infrastructure.\nWe accept only **critical submissions**(SSRF, XXE, SQLi, RCE) with a clearly reproducible **proof of concept code**.\n\n\u003e _Reports that don't match these criteria will be closed as \"N/A\"._ \n\n# Rewards\n\n- When duplicates (including internally known issues) occur, we only award the first report that we receive.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Our rewards are based on the **impact** of a vulnerability, **attack requirements** and **scenario**.\n- We will try to conform with CVSSv3. However, certain exclusions might be possible.\n- The final reward decisions are up to the discretion of Grammarly.\n- We may calculate the severity and rewards of particular vulnerabilities in our client apps and web applications based on our User Agents and platforms statistics.\n* **Clearness of your report reflects the potential reward:** If your report isn't clear enough (e.g., lacks proof of concept code), it may lower the bounty, despite the severity of the found issue. *This rule works vice versa too!*\n\n### \"Hacker-friendly\" program\n\n- If **your report pointed** our internal security team to a more severe bug, we will calculate your reward based **on the most severe bug we found internally.**\n- Unusual bugs, tricks, or bypasses might be extra rewarded.\n- A report might be rewarded retroactively for a limited amount of time on a case-by-case basis.\n- We may award a Grammarly Premium account for particular \"Informative\" or \"Low\" severity bugs.\n- We will increase the rewards for eligible reports if they are submitted in the form of **`curl`** or **[puppeteer](https://pptr.dev)** scripts **automating exploitation of the vulnerability** (i.e., exploit) and contributed under the **MIT license**, which must be attached to the script. To be eligible for a bonus, your exploit must be attached before the bug is fixed. \n\n## Recommendations for reporting\n\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* Multiple chained vulnerabilities submitted as one report will qualify for one bigger bounty. If you submit multiple linked vulnerabilities as different reports, we will award every vulnerability individually! Please, remember this.\n* Reports that include proof of concept code will be more likely to be accepted.\n* Include how you found the bug, the impact, and any potential remediation. \n\n## Public disclosure\n\n- Public disclosure of the vulnerability prior to resolution may cancel a pending reward.\n- We reserve the right to not disclose the report or to disclose it only partially. (We may do this if the original report includes password hashes, config files, proprietary source code, any internal info, etc.)\n- We encourage public disclosure of your findings in our program!\n- We'd like to help out with your **write-ups about publicly disclosed bugs**. Feel free to send your write-up to security@grammarly.com!\n\n# Non-Qualifying Vulnerabilities\n\n- Report about any vulnerability from the exclusion list below will most likely be closed as \"N/A\".\n- Submitting multiple N/A reports may result in you being excluded from participating in our program.\n\n## Common vulnerabilities excluded from the scope:\n\n* Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.\n* Clickjacking on pages without demonstrable impact (e.g. account takeover).\n* CSRF with minimal security implications (Logout CSRF, etc.)\n* Content spoofing issues without showing an attack vector and without being able to modify both HTML and CSS.\n* CSV injection.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Vulnerabilities in outdated versions of Grammarly software.\n* Issues relating to buggy non-Grammarly client software.\n* Stack traces, path disclosure, and directory listings.\n* Self-XSS or having a user paste JavaScript into the browser console.\n* Vulnerabilities that rely on installed outdated third-party software (e.g. Windows 7, Flash, Java applets, and similar deprecated technologies) will be triaged as \"Low\" for critical actions and \"Informative\" for non-critical ones.\n* Reports that affect only outdated user agents or app versions. We only consider exploits in the latest browser versions for Safari, Firefox, Chrome, Edge, IE and the versions of our applications that are currently in the app stores.\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring physical access to a user's device.\n* Reports that include only crash dumps or other automated tool output without a proof of concept code.\n* **Open redirect** vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain are out of scope.\n* Open ports scanning, banner grabbing, software version disclosure issues.\n* **MITM attacks on secure connection** and “Mixed Content” issues are out of scope.\n* Issues related to the missing address bar in Grammarly Desktop Editor. We’re aware of this issue affecting Electron apps serving web pages.\n\n## Non-Qualifying best practices\n\n* Missing cookie flags on non-authentication cookies.\n* Missing best practices in DNS configuration (e.g. DKIM/DMARC/SPF/TXT).\n* Missing best practices in SSL/TLS configuration.\n* Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.\n* Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).\n\n## Non-Qualifying (business) issues\n\n* Institution access code enumeration or demonstrating access codes leaked in Internet forums.\n* Credential re-usage from public dumps.\n* UUID enumeration of any kind.\n* Ability to determine if a username or email has a Grammarly account, also known as an account oracle.\n* Signing up with multiple accounts to abuse referral code usage.\n* Password length, complexity, and re-use requirements.\n* Email verification feature.\n* Sharing Premium accounts with other users isn't considered a monetary impact.\n\nThank you for helping keep Grammarly and our users safe!\n\n## Consequences of Complying with This Policy aka Safe Harbor\nWe will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n\n# A note from our internal security team\n\n## Things we do like:\n\n- Rewarding talented researchers with huge bounties.\n- Extra-rewarding researchers for multiple \"Medium\"/\"High\" security issues.\n- Easily reproducible PoCs (e.g., with curl).\n- Clear Impact section in your reports.\n\n## Things we don't like:\n\n- Speculative researchers and speculative reports.\n- Violations of program rules.\n- Theoretically exploitable issues without clear proofs of exploitability.\n- Unethical hacking: saving/modifying/selling our data intentionally.\n- Copy-pasted reports from the “public disclosure” section on HackerOne.\n\n## Where to start?\n\n- The Office Add-in is a particularly interesting target.\n- We especially like reports about our browser extensions.\n- We have good CSRF protection.\n- We are waiting for your XXE reports (don't forget a PoC).\n- Our Electron app is already hardened with `contextIsolation` and `nodeintegration`\n- WAF is a great target for experienced web hackers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-11T14:55:32.972Z"}]