868ef883a2f7ad20307c5117d2f955e201ea3c9a default
twitter

Twitter

Twitter helps you create and share ideas and information instantly, without barriers.

Program Rules

Maintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.

Rewards

Twitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. There is no maximum reward. Reward amounts may vary depending upon the severity of the vulnerability reported. Twitter will determine in its discretion whether a reward should be granted and the amount of the reward. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.

The following table outlines the minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope):

Vulnerability Minimum
Remote Code Execution $10,000
Significant Authentication Bypass $5,000
Cross Site Scripting that can perform critical actions [1] [2] $2,500
Cross Site Request Forgery on critical actions [1] $2,500
All other Cross Site Scripting [2] $1,000
All other Cross Site Request Forgery $250

[1] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging. In addition, vulnerabilities requiring user interaction generally will qualify for lower award amounts.
[2] Excluding self-XSS.

Scope

The following sites and applications are in scope for this program:

  • *.twitter.com
  • vine.co
  • Fabric SDK
  • Twitter for iOS
  • Twitter for Android
  • Vine for iOS
  • Vine for Android

Vulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our Hall of Fame.

Reporting Possible Vulnerabilities

You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.

If you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please find the appropriate form here.

If you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of Twitter! However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).
  • We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria a national of other certain countries, or on a denied parties or sanctions list).
  • You may not publicly disclose the vulnerability prior to our resolution.

Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Unauthorized Access to Protected Tweets
  • Unauthorized Access to DMs

Non-Qualifying Vulnerabilities

Depending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.

Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

  • Attacks requiring physical access to a user's device
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  • Login/logout CSRF
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Missing security headers which do not lead directly to a vulnerability
  • Clickjacking on static websites
  • Content spoofing / text injection
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Issues related to software or protocols not under Twitter control
  • Reports from automated tools or scans
  • Reports of spam (see here for more info)
  • Bypass of URL malware detection
  • Vulnerabilities affecting users of outdated or unpatched browsers and platforms
  • Social engineering of Twitter staff or contractors
  • Any physical attempts against Twitter property or data centers

The Fine Print

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Reports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.

Now
Twitter resolved a bug that was submitted by waheedgul.
About 8 hours ago
Twitter resolved a bug that was submitted by shahmeer_amir.
5 days ago
Twitter resolved a bug that was submitted by mreagle0x.
7 days ago
Twitter resolved a bug that was submitted by avicoder.
8 days ago
Twitter resolved a bug that was submitted by shailesh4594.
11 days ago
Twitter rewarded kerv with a $140 bounty.
11 days ago
Twitter rewarded ky0p with a $560 bounty.
11 days ago
Twitter rewarded hussein98d with a $280 bounty.
11 days ago
Twitter rewarded filedescriptor with a $420 bounty.
11 days ago
Twitter resolved a bug that was submitted by avicoder.
14 days ago
Twitter rewarded dtay02 with a $140 bounty.
17 days ago
Twitter rewarded kaleemgiet with a $140 bounty.
17 days ago
Twitter rewarded filedescriptor with a $5,040 bounty.
17 days ago
Twitter rewarded mreagle0x with a $420 bounty.
17 days ago
Twitter rewarded nismo with a $140 bounty.
17 days ago
Twitter rewarded bugwrangler with a $140 bounty.
17 days ago
Twitter resolved a bug that was submitted by marzouki.
18 days ago
Twitter resolved a bug that was submitted by testalways.
21 days ago
Twitter resolved a bug that was submitted by narendrabhati.
21 days ago
Twitter rewarded shailesh4594 with a $280 bounty.
22 days ago
Twitter rewarded oreoshake with a $140 bounty.
22 days ago
Twitter rewarded dalbin with a $5,040 bounty.
22 days ago
Twitter resolved a bug that was submitted by t__security.
27 days ago
Twitter resolved a bug that was submitted by secgeek.
29 days ago
Twitter rewarded hussein98d with a $420 bounty.
About 1 month ago
Twitter resolved a bug that was submitted by testalways.
About 1 month ago
Twitter rewarded prayas with a $140 bounty.
About 1 month ago
Twitter rewarded filedescriptor with a $700 bounty.
About 1 month ago
Twitter rewarded mrpoogay with a $140 bounty.
About 1 month ago
Twitter rewarded sesser with a $560 bounty.
About 1 month ago
Twitter rewarded fourtassi_hamza with a $280 bounty.
About 1 month ago
Twitter resolved a bug that was submitted by wesecureapp.
About 1 month ago
Twitter resolved a bug that was submitted by fourtassi_hamza.
About 1 month ago
Twitter resolved a bug that was submitted by shahmeer_amir.
About 1 month ago
Twitter resolved a bug that was submitted by filedescriptor.
About 1 month ago
Twitter resolved a bug that was submitted by yassineaboukir.
About 1 month ago
Twitter resolved a bug that was submitted by cqoicebordel.
About 1 month ago
Twitter resolved a bug that was submitted by prayas.
About 1 month ago
Twitter resolved a bug that was submitted by pyrk2142.
About 1 month ago
Twitter rewarded sr33r4j with a $280 bounty.
About 2 months ago
Twitter rewarded russelvanlaurio with a $140 bounty.
About 2 months ago
Twitter rewarded filedescriptor with a $2,520 bounty.
About 2 months ago
Twitter resolved a bug that was submitted by vr0nsky.
About 2 months ago
Twitter resolved a bug that was submitted by filedescriptor.
About 2 months ago
Twitter resolved a bug that was submitted by derision.
About 2 months ago
Twitter rewarded filedescriptor with a $560 bounty.
About 2 months ago
Twitter rewarded dor1s with a $420 bounty.
About 2 months ago
Twitter rewarded filedescriptor with a $140 bounty.
About 2 months ago
Twitter rewarded filedescriptor with a $2,520 bounty.
About 2 months ago
Twitter resolved a bug that was submitted by gazly.
About 2 months ago
1 2 3 4 5
  • $140
    Minimum bounty
  • 171
    Hackers thanked
  • 254
    Bugs closed