Maintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.
Twitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. There is no maximum reward. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope).
|Vulnerability||Core Twitter ||All Other|
|Remote Code Execution||$15,000||$10,000|
|Significant Authentication Bypass||$7,500||$5,000|
|Cross Site Scripting that can perform critical actions  ||$2,500||$1,500|
|Cross Site Request Forgery on critical actions ||$2,500||$1,500|
|All other Cross Site Scripting ||$1,000||$500|
|All other Cross Site Request Forgery||$250||$140|
 Core Twitter covers twitter.com, Twitter for iOS, Twitter for Android and reports permitting takeover of a Twitter account.
 Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.
 Excluding self-XSS.
Twitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.
The following sites and applications are in scope for this program:
- Fabric SDK
- Twitter for iOS / Android
- Vine for iOS / Android
- Periscope for iOS / Android
Vulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our Hall of Fame. High impact vulnerabilities will be considered on a case by case basis.
Reporting Possible Vulnerabilities
You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.
If you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please find the appropriate form here.
If you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.
Please be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report.
- What type of issue are you reporting? Does it align to a CWE or OWASP issue?
- How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).
- What is the impact of your issue?
- What are some scenarios where an attacker would be able to leverage this vulnerability?
- What would be your suggested fix?
Eligibility and Responsible Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security of Twitter! However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).
- We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list).
- You may not publicly disclose the vulnerability prior to our resolution.
Any design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Remote Code Execution (RCE)
- Unauthorized Access to Protected Tweets
- Unauthorized Access to DMs
When in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The (Google Bug Hunters University guide) may be useful in considering whether something has impact.
Depending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.
Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
- Attacks requiring physical access to a user's device
- Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
- Login/logout CSRF
- Password and account recovery policies, such as reset link expiration or password complexity
- Invalid or missing SPF (Sender Policy Framework) records
- Content spoofing / text injection
- Issues related to software or protocols not under Twitter control
- Reports of spam (see here for more info)
- Bypass of URL malware detection
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- Social engineering of Twitter staff or contractors
- Any physical attempts against Twitter property or data centers
- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
The Fine Print
You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.
We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.
Reports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.