[{"id":3752103,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping X safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\n* X may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities.\n* Issue severity is calculated by an internal 5x5 risk matrix based on X-specific data and use cases. Severity is considered a combination of Impact and Likelihood, each assigned a value of Informative, Low, Medium, High, or Critical.\n* Payouts are determined by a panel of security experts\n\n## Legal\n\n### Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n\n## SLA\nX will make a best effort to abide by the following timelines:\n* First Response: 2 business days\n* Time to Triage: 10 business days\n* Time to Bounty: 14 business days\n* Time to Resolution: depends on severity and complexity\n\n## Rules of Engagement\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect X users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report and may result in additional steps being taken.\n\n## Report Eligibility\n\n### General\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [X Rules](https://help.twitter.com/en/rules-and-policies/X-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We must not be legally prohibited from rewarding you\n\n### Open-Source Recommendation Algorithm\nReports for the open-source recommendation algorithm have additional requirements:\n* In most cases, a working proof of concept is required for report acceptance.\n* If a proof of concept is not provided, nor sufficient supporting documentation for X engineers to feasibly recreate and evaluate the issue, the report may not be accepted.\n* Report quality for acceptance will be at the discretion of X's HackerOne program.\n\n### AI\n* Model issues are out of scope for this program and should be reported through safety@x.ai\n\n### Ineligible Issues\n#### The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against X property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under X control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-X))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of X staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to X's servers at the network or application layer.\n* Cache poisoning techniques that impact service availability for other users.\n* Reports of broken hyperlinks from X blog posts, press releases, or support articles to unclaimed X Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified X applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n* Homoglyph attacks in URLs that can lead to phishing scenarios, unless the finding can demonstrate larger issues on our platform (e.g AuthN/AuthZ bypass)\n* Reports that demonstrate bypassing rate limits on Grok or xAI APIs.\n\n####The following are common reports that are not security concerns:\n\n*  Documents in the [Ads Transparency Center](https://business.twitter.com/en/help/ads-policies/product-policies/ads-transparency.html) do not disclose private account information. We intentionally disclose the advertising status of accounts to better inform our users of ads being run our platform.\n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**. Exceptional reports may be considered for disclosure on a case-by-case basis.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-19T18:30:57.478Z"},{"id":3747362,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping X safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\n* X may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities.\n* Issue severity is calculated by an internal 5x5 risk matrix based on X-specific data and use cases. Severity is considered a combination of Impact and Likelihood, each assigned a value of Informative, Low, Medium, High, or Critical.\n* Payouts are determined by a panel of security experts\n\n## Legal\n\n### Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n\n## SLA\nX will make a best effort to abide by the following timelines:\n* First Response: 2 business days\n* Time to Triage: 10 business days\n* Time to Bounty: 14 business days\n* Time to Resolution: depends on severity and complexity\n\n## Rules of Engagement\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect X users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report and may result in additional steps being taken.\n\n## Report Eligibility\n\n### General\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [X Rules](https://help.twitter.com/en/rules-and-policies/X-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We must not be legally prohibited from rewarding you\n\n### Open-Source Recommendation Algorithm\nReports for the open-source recommendation algorithm have additional requirements:\n* In most cases, a working proof of concept is required for report acceptance.\n* If a proof of concept is not provided, nor sufficient supporting documentation for X engineers to feasibly recreate and evaluate the issue, the report may not be accepted.\n* Report quality for acceptance will be at the discretion of X's HackerOne program.\n\n### AI\n* Model issues are out of scope for this program and should be reported through the [model behavior feedback form](https://forms.gle/9FEYRcBqLCHxxZTP9).\n\n### Ineligible Issues\n#### The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against X property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under X control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-X))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of X staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to X's servers at the network or application layer.\n* Cache poisoning techniques that impact service availability for other users.\n* Reports of broken hyperlinks from X blog posts, press releases, or support articles to unclaimed X Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified X applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n* Homoglyph attacks in URLs that can lead to phishing scenarios, unless the finding can demonstrate larger issues on our platform (e.g AuthN/AuthZ bypass)\n* Reports that demonstrate bypassing rate limits on Grok or xAI APIs.\n\n####The following are common reports that are not security concerns:\n\n*  Documents in the [Ads Transparency Center](https://business.twitter.com/en/help/ads-policies/product-policies/ads-transparency.html) do not disclose private account information. We intentionally disclose the advertising status of accounts to better inform our users of ads being run our platform.\n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**. Exceptional reports may be considered for disclosure on a case-by-case basis.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-02T20:46:25.277Z"},{"id":3741460,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping X safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\n* X may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities.\n* Issue severity is calculated by an internal 5x5 risk matrix based on X-specific data and use cases. Severity is considered a combination of Impact and Likelihood, each assigned a value of Informative, Low, Medium, High, or Critical.\n* Payouts are determined by a panel of security experts\n\n## Legal\n\n### Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n\n## SLA\nX will make a best effort to abide by the following timelines:\n* First Response: 2 business days\n* Time to Triage: 10 business days\n* Time to Bounty: 14 business days\n* Time to Resolution: depends on severity and complexity\n\n## Rules of Engagement\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect X users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report and may result in additional steps being taken.\n\n## Report Eligibility\n\n### General\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [X Rules](https://help.twitter.com/en/rules-and-policies/X-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We must not be legally prohibited from rewarding you\n\n### Open-Source Recommendation Algorithm\nReports for the open-source recommendation algorithm have additional requirements:\n* In most cases, a working proof of concept is required for report acceptance.\n* If a proof of concept is not provided, nor sufficient supporting documentation for X engineers to feasibly recreate and evaluate the issue, the report may not be accepted.\n* Report quality for acceptance will be at the discretion of X's HackerOne program.\n\n### AI\n* Model issues are out of scope for this program and should be reported through the [model behavior feedback form](https://forms.gle/9FEYRcBqLCHxxZTP9).\n\n### Ineligible Issues\n#### The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against X property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under X control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-X))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of X staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to X's servers at the network or application layer.\n* Cache poisoning techniques that impact service availability for other users.\n* Reports of broken hyperlinks from X blog posts, press releases, or support articles to unclaimed X Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified X applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n* Homoglyph attacks in URLs that can lead to phishing scenarios, unless the finding can demonstrate larger issues on our platform (e.g AuthN/AuthZ bypass)\n\n####The following are common reports that are not security concerns:\n\n*  Documents in the [Ads Transparency Center](https://business.twitter.com/en/help/ads-policies/product-policies/ads-transparency.html) do not disclose private account information. We intentionally disclose the advertising status of accounts to better inform our users of ads being run our platform.\n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**. Exceptional reports may be considered for disclosure on a case-by-case basis.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-08T16:19:52.150Z"},{"id":3740539,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping X safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\n* X may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities.\n* Issue severity is calculated by an internal 5x5 risk matrix based on X-specific data and use cases. Severity is considered a combination of Impact and Likelihood, each assigned a value of Informative, Low, Medium, High, or Critical.\n* Payouts are determined by a panel of security experts\n\n## Legal\n\n### Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n\n## SLA\nX will make a best effort to abide by the following timelines:\n* First Response: 2 business days\n* Time to Triage: 10 business days\n* Time to Bounty: 14 business days\n* Time to Resolution: depends on severity and complexity\n\n## Rules of Engagement\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect X users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report and may result in additional steps being taken.\n\n## Report Eligibility\n\n### General\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [X Rules](https://help.twitter.com/en/rules-and-policies/X-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\n### Open-Source Recommendation Algorithm\nReports for the open-source recommendation algorithm have additional requirements:\n* In most cases, a working proof of concept is required for report acceptance.\n* If a proof of concept is not provided, nor sufficient supporting documentation for X engineers to feasibly recreate and evaluate the issue, the report may not be accepted.\n* Report quality for acceptance will be at the discretion of X's HackerOne program.\n\n### AI\n* Model issues are out of scope for this program and should be reported through the [model behavior feedback form](https://forms.gle/9FEYRcBqLCHxxZTP9).\n\n### Ineligible Issues\n#### The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against X property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under X control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-X))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of X staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to X's servers at the network or application layer.\n* Cache poisoning techniques that impact service availability for other users.\n* Reports of broken hyperlinks from X blog posts, press releases, or support articles to unclaimed X Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified X applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n* Homoglyph attacks in URLs that can lead to phishing scenarios, unless the finding can demonstrate larger issues on our platform (e.g AuthN/AuthZ bypass)\n\n####The following are common reports that are not security concerns:\n\n*  Documents in the [Ads Transparency Center](https://business.twitter.com/en/help/ads-policies/product-policies/ads-transparency.html) do not disclose private account information. We intentionally disclose the advertising status of accounts to better inform our users of ads being run our platform.\n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**. Exceptional reports may be considered for disclosure on a case-by-case basis.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-26T15:38:30.530Z"},{"id":3739427,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping X safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\n* X may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities.\n* Issue severity is calculated by an internal 5x5 risk matrix based on X-specific data and use cases. Severity is considered a combination of Impact and Likelihood, each assigned a value of Informative, Low, Medium, High, or Critical.\n* Payouts are determined by a panel of security experts\n\n## Legal\n\n### Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n\n## SLA\nX will make a best effort to abide by the following timelines:\n* First Response: 2 business days\n* Time to Triage: 10 business days\n* Time to Bounty: 14 business days\n* Time to Resolution: depends on severity and complexity\n\n## Rules of Engagement\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect X users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report and may result in additional steps being taken.\n\n## Report Eligibility\n\n### General\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [X Rules](https://help.twitter.com/en/rules-and-policies/X-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\n### Open-Source Recommendation Algorithm\nReports for the open-source recommendation algorithm have additional requirements:\n* In most cases, a working proof of concept is required for report acceptance.\n* If a proof of concept is not provided, nor sufficient supporting documentation for X engineers to feasibly recreate and evaluate the issue, the report may not be accepted.\n* Report quality for acceptance will be at the discretion of X's HackerOne program.\n\n### AI\n* Model issues are out of scope for this program and should be reported through the [model behavior feedback form](https://forms.gle/9FEYRcBqLCHxxZTP9).\n\n### Ineligible Issues\n#### The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against X property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under X control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-X))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of X staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to X's servers at the network or application layer.\n* Cache poisoning techniques that impact service availability for other users.\n* Reports of broken hyperlinks from X blog posts, press releases, or support articles to unclaimed X Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified X applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n* Homoglyph attacks in URLs that can lead to phishing scenarios, unless the finding can demonstrate larger issues on our platform (e.g AuthN/AuthZ bypass)\n\n####The following are common reports that are not security concerns:\n\n*  Documents in the [Ads Transparency Center](https://business.twitter.com/en/help/ads-policies/product-policies/ads-transparency.html) do not disclose private account information. We intentionally disclose the advertising status of accounts to better inform our users of ads being run our platform.\n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-16T17:18:23.882Z"},{"id":3708102,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping X safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\n* X may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities.\n* Issue severity is calculated by an internal 5x5 risk matrix based on X-specific data and use cases. Severity is considered a combination of Impact and Likelihood, each assigned a value of Informative, Low, Medium, High, or Critical.\n* Payouts are determined by a panel of security experts\n\n## Legal\n\n### Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n\n## SLA\nX will make a best effort to abide by the following timelines:\n* First Response: 2 business days\n* Time to Triage: 10 business days\n* Time to Bounty: 14 business days\n* Time to Resolution: depends on severity and complexity\n\n## Rules of Engagement\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect X users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report and may result in additional steps being taken.\n\n## Report Eligibility\n\n### General\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [X Rules](https://help.twitter.com/en/rules-and-policies/X-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\n### Open-Source Recommendation Algorithm\nReports for the open-source recommendation algorithm have additional requirements:\n* In most cases, a working proof of concept is required for report acceptance.\n* If a proof of concept is not provided, nor sufficient supporting documentation for X engineers to feasibly recreate and evaluate the issue, the report may not be accepted.\n* Report quality for acceptance will be at the discretion of X's HackerOne program.\n\n### AI\n* Model issues are out of scope for this program and should be reported through the [model behavior feedback form](https://forms.gle/9FEYRcBqLCHxxZTP9).\n\n### Ineligible Issues\n#### The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against X property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under X control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-X))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of X staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to X's servers at the network or application layer.\n* Reports of broken hyperlinks from X blog posts, press releases, or support articles to unclaimed X Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified X applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n* Homoglyph attacks in URLs that can lead to phishing scenarios, unless the finding can demonstrate larger issues on our platform (e.g AuthN/AuthZ bypass)\n\n####The following are common reports that are not security concerns:\n\n*  Documents in the [Ads Transparency Center](https://business.twitter.com/en/help/ads-policies/product-policies/ads-transparency.html) do not disclose private account information. We intentionally disclose the advertising status of accounts to better inform our users of ads being run our platform.\n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-27T23:16:26.821Z"},{"id":3699641,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping X safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\n* X may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities.\n* Issue severity is calculated by an internal 5x5 risk matrix based on X-specific data and use cases. Severity is considered a combination of Impact and Likelihood, each assigned a value of Informative, Low, Medium, High, or Critical.\n* Payouts are determined by a panel of security experts\n\n## Legal\n\n### Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n\n## SLA\nX will make a best effort to abide by the following timelines:\n* First Response: 2 business days\n* Time to Triage: 10 business days\n* Time to Bounty: 14 business days\n* Time to Resolution: depends on severity and complexity\n\n## Rules of Engagement\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect X users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report and may result in additional steps being taken.\n\n## Report Eligibility\n\n### General\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [X Rules](https://help.twitter.com/en/rules-and-policies/X-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\n### Open-Source Recommendation Algorithm\nReports for the open-source recommendation algorithm have additional requirements:\n* In most cases, a working proof of concept is required for report acceptance.\n* If a proof of concept is not provided, nor sufficient supporting documentation for X engineers to feasibly recreate and evaluate the issue, the report may not be accepted.\n* Report quality for acceptance will be at the discretion of X's HackerOne program.\n\n### Ineligible Issues\n#### The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against X property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under X control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-X))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of X staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to X's servers at the network or application layer.\n* Reports of broken hyperlinks from X blog posts, press releases, or support articles to unclaimed X Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified X applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n* Homoglyph attacks in URLs that can lead to phishing scenarios, unless the finding can demonstrate larger issues on our platform (e.g AuthN/AuthZ bypass)\n\n####The following are common reports that are not security concerns:\n\n*  Documents in the [Ads Transparency Center](https://business.twitter.com/en/help/ads-policies/product-policies/ads-transparency.html) do not disclose private account information. We intentionally disclose the advertising status of accounts to better inform our users of ads being run our platform.\n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-08T15:11:40.708Z"},{"id":3689946,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\n* Twitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities.\n* Issue severity is calculated by an internal 5x5 risk matrix based on Twitter-specific data and use cases. Severity is considered a combination of Impact and Likelihood, each assigned a value of Informative, Low, Medium, High, or Critical.\n* Payouts are determined by a panel of security experts\n\n## Legal\n\n### Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n\n## SLA\nTwitter will make a best effort to abide by the following timelines:\n* First Response: 2 business days\n* Time to Triage: 10 business days\n* Time to Bounty: 14 business days\n* Time to Resolution: depends on severity and complexity\n\n## Rules of Engagement\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report and may result in additional steps being taken.\n\n## Report Eligibility\n\n### General\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\n### Open-Source Recommendation Algorithm\nReports for the open-source recommendation algorithm have additional requirements:\n* In most cases, a working proof of concept is required for report acceptance.\n* If a proof of concept is not provided, nor sufficient supporting documentation for Twitter engineers to feasibly recreate and evaluate the issue, the report may not be accepted.\n* Report quality for acceptance will be at the discretion of Twitter's HackerOne program.\n\n### Ineligible Issues\n#### The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n* Reports of broken hyperlinks from Twitter blog posts, press releases, or support articles to unclaimed Twitter Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified Twitter applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n* Homoglyph attacks in URLs that can lead to phishing scenarios, unless the finding can demonstrate larger issues on our platform (e.g AuthN/AuthZ bypass)\n\n####The following are common reports that are not security concerns:\n\n*  Documents in the [Ads Transparency Center](https://business.twitter.com/en/help/ads-policies/product-policies/ads-transparency.html) do not disclose private account information. We intentionally disclose the advertising status of accounts to better inform our users of ads being run our platform.\n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-26T19:18:01.699Z"},{"id":3687544,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Recommendation Algorithm Manipulation | Bypass visibility filtering, Manipulate rankings in Twitter recommendations | $6,942.00 | N/A |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.twimg.com`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nReports for the open-source recommendation algorithm have additional requirements:\n* In most cases, a working proof of concept is required for report acceptance.\n* If a proof of concept is not provided, nor sufficient supporting documentation for Twitter engineers to feasibly recreate and evaluate the issue, the report may not be accepted.\n* Report quality for acceptance will be at the discretion of Twitter's HackerOne program.\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\n### The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n* Reports of broken hyperlinks from Twitter blog posts, press releases, or support articles to unclaimed Twitter Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified Twitter applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n* Homoglyph attacks in URLs that can lead to phishing scenarios, unless the finding can demonstrate larger issues on our platform (e.g AuthN/AuthZ bypass)\n\n### The following are common reports that are not security concerns:\n\n*  Documents in the [Ads Transparency Center](https://business.twitter.com/en/help/ads-policies/product-policies/ads-transparency.html) do not disclose private account information. We intentionally disclose the advertising status of accounts to better inform our users of ads being run our platform.\n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**.\n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-11T18:15:29.960Z"},{"id":3686137,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Recommendation Algorithm Manipulation | Bypass visibility filtering, Manipulate rankings in Twitter recommendations | $6,942.00 | N/A |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.twimg.com`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nReports for the open-source recommendation algorithm have additional requirements:\n* In most cases, a working proof of concept is required for report acceptance.\n* If a proof of concept is not provided, nor sufficient supporting documentation for Twitter engineers to feasibly recreate and evaluate the issue, the report may not be accepted.\n* Report quality for acceptance will be at the discretion of Twitter's HackerOne program.\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n* Reports of broken hyperlinks from Twitter blog posts, press releases, or support articles to unclaimed Twitter Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified Twitter applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n* Homoglyph attacks in URLs that can lead to phishing scenarios, unless the finding can demonstrate larger issues on our platform (e.g AuthN/AuthZ bypass)\n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**.\n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-13T16:36:02.856Z"},{"id":3686022,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Recommendation Algorithm Manipulation | Bypass visibility filtering, Manipulate rankings in Twitter recommendations | $6,942.00 | N/A |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.twimg.com`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nReports for the open-source recommendation algorithm have additional requirements:\n* In most cases, a working proof of concept is required for report acceptance.\n* If a proof of concept is not provided, nor sufficient supporting documentation for Twitter engineers to feasibly recreate and evaluate the issue, the report may not be accepted.\n* Report quality for acceptance will be at the discretion of Twitter's HackerOne program.\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n* Reports of broken hyperlinks from Twitter blog posts, press releases, or support articles to unclaimed Twitter Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified Twitter applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n* Validation issues that can lead to phishing scenarios, unless the finding can demonstrate larger issues on our platform (e.g AuthN/AuthZ bypass)\n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**.\n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-11T18:18:59.931Z"},{"id":3685662,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Recommendation Algorithm Manipulation | Bypass visibility filtering, Manipulate rankings in Twitter recommendations | $6,942.00 | N/A |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.twimg.com`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nReports for the open-source recommendation algorithm have additional requirements:\n* In most cases, a working proof of concept is required for report acceptance.\n* If a proof of concept is not provided, nor sufficient supporting documentation for Twitter engineers to feasibly recreate and evaluate the issue, the report may not be accepted.\n* Report quality for acceptance will be at the discretion of Twitter's HackerOne program.\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n* Reports of broken hyperlinks from Twitter blog posts, press releases, or support articles to unclaimed Twitter Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified Twitter applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**.\n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-31T15:10:04.030Z"},{"id":3681611,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.twimg.com`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n* Reports of broken hyperlinks from Twitter blog posts, press releases, or support articles to unclaimed Twitter Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified Twitter applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n* Manipulation of \"likes/follows/views\" count due to caching issues. We are already aware that some statistics on our site may temporarily display inaccurate figures when many requests are sent in a brief period of time. However, that is because the numbers are cached, and the cache may take a bit of time to synchronize with the accurate backend data store. \n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**.\n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-03T17:12:36.075Z"},{"id":3680485,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.twimg.com`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n* Reports of broken hyperlinks from Twitter blog posts, press releases, or support articles to unclaimed Twitter Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified Twitter applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**.\n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-30T16:36:50.613Z"},{"id":3676618,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.twimg.com`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n* Reports of broken hyperlinks from Twitter blog posts, press releases, or support articles to unclaimed Twitter Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified Twitter applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Report Disclosures\nWe currently don't disclose reports marked as **Informative**.\n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-25T18:04:35.894Z"},{"id":3676070,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.twimg.com`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n* Reports of broken hyperlinks from Twitter blog posts, press releases, or support articles to unclaimed Twitter Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified Twitter applications, rooted devices, or jailbroken devices.\n* Open redirects unless they can demonstrate a higher security risk than phishing.\n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-12T13:56:45.968Z"},{"id":3674360,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.twimg.com`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n* Reports of broken hyperlinks from Twitter blog posts, press releases, or support articles to unclaimed Twitter Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified Twitter applications, rooted devices, or jailbroken devices.\n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-13T21:26:43.605Z"},{"id":3654134,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.pscp.tv`, `*.periscope.tv`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n* Reports of broken hyperlinks from Twitter blog posts, press releases, or support articles to unclaimed Twitter Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n* Issues relating to unlocking client-side features in modified Twitter applications, rooted devices, or jailbroken devices.\n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-30T18:01:48.059Z"},{"id":3651593,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.pscp.tv`, `*.periscope.tv`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n* Reports of broken hyperlinks from Twitter blog posts, press releases, or support articles to unclaimed Twitter Handles or to a location where it is not possible to cause the controlled contents to be downloaded to the victim’s filesystem.\n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-27T15:52:21.105Z"},{"id":3635379,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.pscp.tv`, `*.periscope.tv`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.\n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-23T17:59:19.113Z"},{"id":3566624,"new_policy":"# Program Rules\n\nMaintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n| Category | Examples | Core Twitter[1] | Everything Else |\n|----------|----------|--------------:|-----------------:|\n| Remote code execution | Command injection | $20,160 | $10,080 |\n| Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300 |\n| Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300 |\n| Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920 |\n| Account takeover | OAuth vulnerabilities | $7,700 | $3,920 |\n| Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540 |\n| Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540 |\n\n[1] Core Twitter is defined as anything hosted on `*.twitter.com`, `*.pscp.tv`, `*.periscope.tv`, and Twitter owned-and-operated mobile clients.\n\nTwitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n## Report Eligibility\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The [Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario) may be useful in considering whether an issue has security impact.\n\nOnly reports that meet the following requirements are eligible to receive a monetary reward:\n\n* You must be the first reporter of the vulnerability\n* The vulnerability must demonstrate security impact to a site or application in scope (see below)\n* You must not have compromised the privacy of our users or otherwise violated the [Twitter Rules](https://help.twitter.com/en/rules-and-policies/twitter-rules)\n* You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the [HackerOne Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines)\n* We are not legally prohibited from rewarding you\n\nDepending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nWhen researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Any physical attacks against Twitter property or data centers\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n\nIf you believe your account has been compromised, please [contact Twitter support directly](https://support.twitter.com/forms/). \n\n## Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-12T18:05:39.117Z"},{"id":3550584,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. Rewards are paid out on Fridays. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Core Twitter [1]| All Other |\n------------- | -------------| -------------|\n|Remote Code Execution | $15,000| $10,000|\n|Significant Authentication Bypass [6] | $7,500| $5,000|\n|Cross Site Scripting that can perform critical actions [2] [3] [4] [5] | $2,500| $1,500|\n|Cross Site Request Forgery on critical actions [2] [4]| $2,500| $1,500|\n|All other Cross Site Scripting [3] [4]| $1,000| $500|\n|All other Cross Site Request Forgery [4] | $280| $140|\n||||\n\n*[1] Core Twitter covers twitter.com, Twitter for iOS, Twitter for Android and reports permitting takeover of a Twitter account.*\n*[2] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[3] Excluding self-XSS.*\n*[4] Divide by half of the All Other amount for MoPub properties*\n*[5] Divide by half for XSS blocked by Content-Security-Policy settings*\n*[6] Divide by half for issues that require the attacker to interact with the user*\n\nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* MoPub\n* Gnip\n* ZeroPush\n* Twitter for iOS / Android\n* Vine Camera\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks). High impact vulnerabilities will be considered on a case by case basis.\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy. When demonstrating a vulnerability, please do so in an unobtrusive manner to avoid drawing public attention to the vulnerability. Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for bounty.\n\n**Report Template**\n\nPlease be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report. \n\n* What type of issue are you reporting? Does it align to a CWE or OWASP issue?\n* How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).\n* What is the impact of your issue?\n* What are some scenarios where an attacker would be able to leverage this vulnerability?\n* What would be your suggested fix?\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\nWhen in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The ([Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario)) may be useful in considering whether something has impact.\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Fabric was acquired by Google as of January 25th, 2017. Any vulnerability or bug submissions for Fabric, including Crashlytics and Answers, will need to be submitted [here](https://g.co/vulnz)\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-03T23:06:22.528Z"},{"id":3545558,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. Rewards are paid out on Fridays. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Core Twitter [1]| All Other |\n------------- | -------------| -------------|\n|Remote Code Execution | $15,000| $10,000|\n|Significant Authentication Bypass [6] | $7,500| $5,000|\n|Cross Site Scripting that can perform critical actions [2] [3] [4] [5] | $2,500| $1,500|\n|Cross Site Request Forgery on critical actions [2] [4]| $2,500| $1,500|\n|All other Cross Site Scripting [3] [4]| $1,000| $500|\n|All other Cross Site Request Forgery [4] | $280| $140|\n||||\n\n*[1] Core Twitter covers twitter.com, Twitter for iOS, Twitter for Android and reports permitting takeover of a Twitter account.*\n*[2] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[3] Excluding self-XSS.*\n*[4] Divide by half of the All Other amount for MoPub properties*\n*[5] Divide by half for XSS blocked by Content-Security-Policy settings*\n*[6] Divide by half for issues that require the attacker to interact with the user*\n\nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* MoPub\n* ZeroPush\n* Twitter for iOS / Android\n* Vine Camera\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks). High impact vulnerabilities will be considered on a case by case basis.\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy. When demonstrating a vulnerability, please do so in an unobtrusive manner to avoid drawing public attention to the vulnerability. Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for bounty.\n\n**Report Template**\n\nPlease be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report. \n\n* What type of issue are you reporting? Does it align to a CWE or OWASP issue?\n* How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).\n* What is the impact of your issue?\n* What are some scenarios where an attacker would be able to leverage this vulnerability?\n* What would be your suggested fix?\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\nWhen in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The ([Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario)) may be useful in considering whether something has impact.\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n* Fabric was acquired by Google as of January 25th, 2017. Any vulnerability or bug submissions for Fabric, including Crashlytics and Answers, will need to be submitted [here](https://g.co/vulnz)\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-01-24T18:14:42.981Z"},{"id":3541351,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. Rewards are paid out on Fridays. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Core Twitter [1]| All Other |\n------------- | -------------| -------------|\n|Remote Code Execution | $15,000| $10,000|\n|Significant Authentication Bypass [6] | $7,500| $5,000|\n|Cross Site Scripting that can perform critical actions [2] [3] [4] [5] | $2,500| $1,500|\n|Cross Site Request Forgery on critical actions [2] [4]| $2,500| $1,500|\n|All other Cross Site Scripting [3] [4]| $1,000| $500|\n|All other Cross Site Request Forgery [4] | $280| $140|\n||||\n\n*[1] Core Twitter covers twitter.com, Twitter for iOS, Twitter for Android and reports permitting takeover of a Twitter account.*\n*[2] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[3] Excluding self-XSS.*\n*[4] Divide by half of the All Other amount for MoPub properties*\n*[5] Divide by half for XSS blocked by Content-Security-Policy settings*\n*[6] Divide by half for issues that require the attacker to interact with the user*\n\nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* Fabric SDK\n* MoPub\n* ZeroPush\n* Twitter for iOS / Android\n* Vine for iOS / Android\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks). High impact vulnerabilities will be considered on a case by case basis.\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy. When demonstrating a vulnerability, please do so in an unobtrusive manner to avoid drawing public attention to the vulnerability. Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for bounty.\n\n**Report Template**\n\nPlease be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report. \n\n* What type of issue are you reporting? Does it align to a CWE or OWASP issue?\n* How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).\n* What is the impact of your issue?\n* What are some scenarios where an attacker would be able to leverage this vulnerability?\n* What would be your suggested fix?\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\nWhen in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The ([Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario)) may be useful in considering whether something has impact.\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-11-04T16:35:32.343Z"},{"id":3392632,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. Rewards are paid out on Fridays. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Core Twitter [1]| All Other |\n------------- | -------------| -------------|\n|Remote Code Execution | $15,000| $10,000|\n|Significant Authentication Bypass [6] | $7,500| $5,000|\n|Cross Site Scripting that can perform critical actions [2] [3] [4] [5] | $2,500| $1,500|\n|Cross Site Request Forgery on critical actions [2] [4]| $2,500| $1,500|\n|All other Cross Site Scripting [3] [4]| $1,000| $500|\n|All other Cross Site Request Forgery [4] | $280| $140|\n||||\n\n*[1] Core Twitter covers twitter.com, Twitter for iOS, Twitter for Android and reports permitting takeover of a Twitter account.*\n*[2] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[3] Excluding self-XSS.*\n*[4] Divide by half of the All Other amount for MoPub properties*\n*[5] Divide by half for XSS blocked by Content-Security-Policy settings*\n*[6] Divide by half for issues that require the attacker to interact with the user*\n\nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* Fabric SDK\n* MoPub\n* ZeroPush\n* Twitter for iOS / Android\n* Vine for iOS / Android\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks). High impact vulnerabilities will be considered on a case by case basis.\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n**Report Template**\n\nPlease be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report. \n\n* What type of issue are you reporting? Does it align to a CWE or OWASP issue?\n* How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).\n* What is the impact of your issue?\n* What are some scenarios where an attacker would be able to leverage this vulnerability?\n* What would be your suggested fix?\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\nWhen in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The ([Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario)) may be useful in considering whether something has impact.\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-08-14T21:18:06.746Z"},{"id":2781589,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Core Twitter [1]| All Other |\n------------- | -------------| -------------|\n|Remote Code Execution | $15,000| $10,000|\n|Significant Authentication Bypass [6] | $7,500| $5,000|\n|Cross Site Scripting that can perform critical actions [2] [3] [4] [5] | $2,500| $1,500|\n|Cross Site Request Forgery on critical actions [2] [4]| $2,500| $1,500|\n|All other Cross Site Scripting [3] [4]| $1,000| $500|\n|All other Cross Site Request Forgery [4] | $280| $140|\n||||\n\n*[1] Core Twitter covers twitter.com, Twitter for iOS, Twitter for Android and reports permitting takeover of a Twitter account.*\n*[2] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[3] Excluding self-XSS.*\n*[4] Divide by half of the All Other amount for MoPub properties*\n*[5] Divide by half for XSS blocked by Content-Security-Policy settings*\n*[6] Divide by half for issues that require the attacker to interact with the user*\n\nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* Fabric SDK\n* MoPub\n* ZeroPush\n* Twitter for iOS / Android\n* Vine for iOS / Android\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks). High impact vulnerabilities will be considered on a case by case basis.\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n**Report Template**\n\nPlease be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report. \n\n* What type of issue are you reporting? Does it align to a CWE or OWASP issue?\n* How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).\n* What is the impact of your issue?\n* What are some scenarios where an attacker would be able to leverage this vulnerability?\n* What would be your suggested fix?\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\nWhen in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The ([Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario)) may be useful in considering whether something has impact.\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-05-18T21:42:27.162Z"},{"id":2411112,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Core Twitter [1]| All Other |\n------------- | -------------| -------------|\n|Remote Code Execution | $15,000| $10,000|\n|Significant Authentication Bypass | $7,500| $5,000|\n|Cross Site Scripting that can perform critical actions [2] [3] [4] [5] | $2,500| $1,500|\n|Cross Site Request Forgery on critical actions [2] [4]| $2,500| $1,500|\n|All other Cross Site Scripting [3] [4]| $1,000| $500|\n|All other Cross Site Request Forgery [4] | $250| $140|\n||||\n\n*[1] Core Twitter covers twitter.com, Twitter for iOS, Twitter for Android and reports permitting takeover of a Twitter account.*\n*[2] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[3] Excluding self-XSS.*\n*[4] Divide by half of the All Other amount for MoPub properties*\n*[5] Divide by half for XSS blocked by Content-Security-Policy settings*\n \nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* Fabric SDK\n* MoPub\n* ZeroPush\n* Twitter for iOS / Android\n* Vine for iOS / Android\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks). High impact vulnerabilities will be considered on a case by case basis.\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n**Report Template**\n\nPlease be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report. \n\n* What type of issue are you reporting? Does it align to a CWE or OWASP issue?\n* How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).\n* What is the impact of your issue?\n* What are some scenarios where an attacker would be able to leverage this vulnerability?\n* What would be your suggested fix?\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\nWhen in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The ([Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario)) may be useful in considering whether something has impact.\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-03-25T20:57:57.051Z"},{"id":2411053,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Core Twitter [1]| All Other |\n------------- | -------------| -------------|\n|Remote Code Execution | $15,000| $10,000|\n|Significant Authentication Bypass | $7,500| $5,000|\n|Cross Site Scripting that can perform critical actions [2] [3] [4] [5] | $2,500| $1,500|\n|All other Cross Site Scripting [3] [4]| $1,000| $500|\n|All other Cross Site Request Forgery [4] | $250| $140|\n||||\n\n*[1] Core Twitter covers twitter.com, Twitter for iOS, Twitter for Android and reports permitting takeover of a Twitter account.*\n*[2] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[3] Excluding self-XSS.*\n*[4] Divide by half of the All Other amount for MoPub properties*\n*[5] Divide by half for XSS blocked by Content-Security-Policy settings*\n \nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* Fabric SDK\n* MoPub\n* ZeroPush\n* Twitter for iOS / Android\n* Vine for iOS / Android\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks). High impact vulnerabilities will be considered on a case by case basis.\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n**Report Template**\n\nPlease be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report. \n\n* What type of issue are you reporting? Does it align to a CWE or OWASP issue?\n* How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).\n* What is the impact of your issue?\n* What are some scenarios where an attacker would be able to leverage this vulnerability?\n* What would be your suggested fix?\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\nWhen in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The ([Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario)) may be useful in considering whether something has impact.\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-03-25T20:51:46.350Z"},{"id":2326770,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Core Twitter [1]| All Other |\n------------- | -------------| -------------|\n|Remote Code Execution | $15,000| $10,000|\n|Significant Authentication Bypass | $7,500| $5,000|\n|Cross Site Scripting that can perform critical actions [2] [3] [4] [5] | $2,500| $1,500|\n|Cross Site Request Forgery on critical actions [2] [4]| $2,500| $1,500|\n|All other Cross Site Scripting [3] [4]| $1,000| $500|\n|All other Cross Site Request Forgery [4] | $250| $140|\n||||\n\n*[1] Core Twitter covers twitter.com, Twitter for iOS, Twitter for Android and reports permitting takeover of a Twitter account.*\n*[2] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[3] Excluding self-XSS.*\n*[4] Divide by half of the All Other amount for MoPub properties*\n*[5] Divide by half for XSS blocked by Content-Security-Policy settings*\n \nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* Fabric SDK\n* MoPub\n* ZeroPush\n* Twitter for iOS / Android\n* Vine for iOS / Android\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks). High impact vulnerabilities will be considered on a case by case basis.\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n**Report Template**\n\nPlease be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report. \n\n* What type of issue are you reporting? Does it align to a CWE or OWASP issue?\n* How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).\n* What is the impact of your issue?\n* What are some scenarios where an attacker would be able to leverage this vulnerability?\n* What would be your suggested fix?\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\nWhen in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The ([Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario)) may be useful in considering whether something has impact.\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-03-08T22:58:21.399Z"},{"id":2306309,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Core Twitter [1]| All Other |\n------------- | -------------| -------------|\n|Remote Code Execution | $15,000| $10,000|\n|Significant Authentication Bypass | $7,500| $5,000|\n|Cross Site Scripting that can perform critical actions [2] [3] [4] [5] | $2,500| $1,500|\n|Cross Site Request Forgery on critical actions [2] [4]| $2,500| $1,500|\n|All other Cross Site Scripting [3] [4]| $1,000| $500|\n|All other Cross Site Request Forgery [4] | $250| $140|\n||||\n\n*[1] Core Twitter covers twitter.com, Twitter for iOS, Twitter for Android and reports permitting takeover of a Twitter account.*\n*[2] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[3] Excluding self-XSS.*\n*[4] Divide by half of the All Other amount for MoPub properties\n*[5] Divide by half for XSS blocked by Content-Security-Policy settings\n \nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* Fabric SDK\n* MoPub\n* ZeroPush\n* Twitter for iOS / Android\n* Vine for iOS / Android\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks). High impact vulnerabilities will be considered on a case by case basis.\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n**Report Template**\n\nPlease be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report. \n\n* What type of issue are you reporting? Does it align to a CWE or OWASP issue?\n* How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).\n* What is the impact of your issue?\n* What are some scenarios where an attacker would be able to leverage this vulnerability?\n* What would be your suggested fix?\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\nWhen in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The ([Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario)) may be useful in considering whether something has impact.\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-03-02T21:02:40.181Z"},{"id":2165533,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Core Twitter [1]| All Other |\n------------- | -------------| -------------|\n|Remote Code Execution | $15,000| $10,000|\n|Significant Authentication Bypass | $7,500| $5,000|\n|Cross Site Scripting that can perform critical actions [2] [3] | $2,500| $1,500|\n|Cross Site Request Forgery on critical actions [2]| $2,500| $1,500|\n|All other Cross Site Scripting [3] | $1,000| $500|\n|All other Cross Site Request Forgery | $250| $140|\n||||\n\n*[1] Core Twitter covers twitter.com, Twitter for iOS, Twitter for Android and reports permitting takeover of a Twitter account.*\n*[2] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[3] Excluding self-XSS.*\n \nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* Fabric SDK\n* MoPub\n* ZeroPush\n* Twitter for iOS / Android\n* Vine for iOS / Android\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks). High impact vulnerabilities will be considered on a case by case basis.\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n**Report Template**\n\nPlease be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report. \n\n* What type of issue are you reporting? Does it align to a CWE or OWASP issue?\n* How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).\n* What is the impact of your issue?\n* What are some scenarios where an attacker would be able to leverage this vulnerability?\n* What would be your suggested fix?\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\nWhen in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The ([Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario)) may be useful in considering whether something has impact.\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-01-13T22:18:42.248Z"},{"id":1961617,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Core Twitter [1]| All Other |\n------------- | -------------| -------------|\n|Remote Code Execution | $15,000| $10,000|\n|Significant Authentication Bypass | $7,500| $5,000|\n|Cross Site Scripting that can perform critical actions [2] [3] | $2,500| $1,500|\n|Cross Site Request Forgery on critical actions [2]| $2,500| $1,500|\n|All other Cross Site Scripting [3] | $1,000| $500|\n|All other Cross Site Request Forgery | $250| $140|\n||||\n\n*[1] Core Twitter covers twitter.com, Twitter for iOS, Twitter for Android and reports permitting takeover of a Twitter account.*\n*[2] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[3] Excluding self-XSS.*\n \nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* Fabric SDK\n* MoPub\n* Twitter for iOS / Android\n* Vine for iOS / Android\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks). High impact vulnerabilities will be considered on a case by case basis.\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n**Report Template**\n\nPlease be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report. \n\n* What type of issue are you reporting? Does it align to a CWE or OWASP issue?\n* How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).\n* What is the impact of your issue?\n* What are some scenarios where an attacker would be able to leverage this vulnerability?\n* What would be your suggested fix?\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\nWhen in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The ([Google Bug Hunters University guide](https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario)) may be useful in considering whether something has impact.\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Invalid or missing SPF (Sender Policy Framework) records\n* Content spoofing / text injection\n* Issues related to software or protocols not under Twitter control\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-11-04T00:42:19.971Z"},{"id":1767503,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Reward|\n------------- | -------------|\n|Remote Code Execution | $10,000|\n|Significant Authentication Bypass | $5,000|\n|Cross Site Scripting that can perform critical actions [1] [2] | $2,500|\n|Cross Site Request Forgery on critical actions [1]| $2,500|\n|All other Cross Site Scripting [2] | $1,000|\n|All other Cross Site Request Forgery | $250|\n|||\n\n*[1] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[2] Excluding self-XSS.*\n \nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may chose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* Fabric SDK\n* Twitter for iOS / Android\n* Vine for iOS / Android\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks).\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Missing security headers which do not lead directly to a vulnerability\n* Invalid SPF (Sender Policy Framework) records\n* Clickjacking on static websites\n* Content spoofing / text injection\n* Cookies missing secure flag set\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Descriptive / unique error pages (we require evidence of actual vulnerability)\n* Issues related to software or protocols not under Twitter control\n* Reports from automated tools or scans\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-08-19T17:52:00.873Z"},{"id":1664681,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Reward|\n------------- | -------------|\n|Remote Code Execution | $10,000|\n|Significant Authentication Bypass | $5,000|\n|Cross Site Scripting that can perform critical actions [1] [2] | $2,500|\n|Cross Site Request Forgery on critical actions [1]| $2,500|\n|All other Cross Site Scripting [2] | $1,000|\n|All other Cross Site Request Forgery | $250|\n|||\n\n*[1] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[2] Excluding self-XSS.*\n \nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may chose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* periscope.tv\n* Fabric SDK\n* Twitter for iOS / Android\n* Vine for iOS / Android\n* Periscope for iOS / Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks).\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Missing security headers which do not lead directly to a vulnerability\n* Clickjacking on static websites\n* Content spoofing / text injection\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Issues related to software or protocols not under Twitter control\n* Reports from automated tools or scans\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-14T17:27:20.521Z"},{"id":1656827,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Reward|\n------------- | -------------|\n|Remote Code Execution | $10,000|\n|Significant Authentication Bypass | $5,000|\n|Cross Site Scripting that can perform critical actions [1] [2] | $2,500|\n|Cross Site Request Forgery on critical actions [1]| $2,500|\n|All other Cross Site Scripting [2] | $1,000|\n|All other Cross Site Request Forgery | $250|\n|||\n\n*[1] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[2] Excluding self-XSS.*\n \nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may chose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* Fabric SDK\n* Twitter for iOS\n* Twitter for Android\n* Vine for iOS\n* Vine for Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks).\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Missing security headers which do not lead directly to a vulnerability\n* Clickjacking on static websites\n* Content spoofing / text injection\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Issues related to software or protocols not under Twitter control\n* Reports from automated tools or scans\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-10T18:04:38.622Z"},{"id":1656824,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). \n\n|Vulnerability | Reward|\n------------- | -------------|\n|Remote Code Execution | $10,000|\n|Significant Authentication Bypass | $5,000|\n|Cross Site Scripting that can perform critical actions [1] [2] | $2,500|\n|Cross Site Request Forgery on critical actions [1]| $2,500|\n|All other Cross Site Scripting [2] | $1,000|\n|All other Cross Site Request Forgery [2] | $250|\n|||\n\n*[1] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.*\n*[2] Excluding self-XSS.*\n \nTwitter will determine in its discretion whether a reward should be granted and the amount of the reward - in particular we may chose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* Fabric SDK\n* Twitter for iOS\n* Twitter for Android\n* Vine for iOS\n* Vine for Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks).\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Missing security headers which do not lead directly to a vulnerability\n* Clickjacking on static websites\n* Content spoofing / text injection\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Issues related to software or protocols not under Twitter control\n* Reports from automated tools or scans\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-10T18:03:38.388Z"},{"id":1656798,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. Reward amounts may vary depending upon the severity of the vulnerability reported. Twitter will determine in its discretion whether a reward should be granted and the amount of the reward.  This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\nThe following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). As with all rewards, final amounts are determined at Twitter's discretion - we may chose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. \n\n|Vulnerability | Reward|\n------------- | -------------|\n|Remote Code Execution | $10,000|\n|Significant Authentication Bypass | $5,000|\n|Cross Site Scripting that can perform critical actions [1] [2] | $2,500|\n|Cross Site Request Forgery on critical actions [1]| $2,500|\n|All other Cross Site Scripting [2] | $1,000|\n|All other Cross Site Request Forgery [2] | $250|\n|||\n\n[1] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.\n[2] Excluding self-XSS.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* Fabric SDK\n* Twitter for iOS\n* Twitter for Android\n* Vine for iOS\n* Vine for Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks).\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Missing security headers which do not lead directly to a vulnerability\n* Clickjacking on static websites\n* Content spoofing / text injection\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Issues related to software or protocols not under Twitter control\n* Reports from automated tools or scans\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-10T17:57:03.602Z"},{"id":1656789,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. Reward amounts may vary depending upon the severity of the vulnerability reported. Twitter will determine in its discretion whether a reward should be granted and the amount of the reward.  This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\nThe following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope). We may chose to pay higher rewards for unusually clever or severe vulnerabilities or lower for vulnerabilities that require significant or unusual user interaction. \n\n|Vulnerability | Reward|\n------------- | -------------|\n|Remote Code Execution | $10,000|\n|Significant Authentication Bypass | $5,000|\n|Cross Site Scripting that can perform critical actions [1] [2] | $2,500|\n|Cross Site Request Forgery on critical actions [1]| $2,500|\n|All other Cross Site Scripting [2] | $1,000|\n|All other Cross Site Request Forgery [2] | $250|\n|||\n\n[1] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.\n[2] Excluding self-XSS.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* Fabric SDK\n* Twitter for iOS\n* Twitter for Android\n* Vine for iOS\n* Vine for Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks).\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Missing security headers which do not lead directly to a vulnerability\n* Clickjacking on static websites\n* Content spoofing / text injection\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Issues related to software or protocols not under Twitter control\n* Reports from automated tools or scans\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-10T17:54:54.689Z"},{"id":1656771,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. Reward amounts may vary depending upon the severity of the vulnerability reported. Twitter will determine in its discretion whether a reward should be granted and the amount of the reward.  This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\nThe following table outlines the minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope): \n\n|Vulnerability | Minimum|\n------------- | -------------|\n|Remote Code Execution | $10,000|\n|Significant Authentication Bypass | $5,000|\n|Cross Site Scripting that can perform critical actions [1] [2] [3] | $2,500|\n|Cross Site Request Forgery on critical actions [1] [2]| $2,500|\n|All other Cross Site Scripting [2] [3] | $1,000|\n|All other Cross Site Request Forgery [2] | $250|\n|||\n\n[1] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging.\n[2] Vulnerabilities requiring significant user interaction will generally not qualify for the minimum.\n[3] Excluding self-XSS.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* Fabric SDK\n* Twitter for iOS\n* Twitter for Android\n* Vine for iOS\n* Vine for Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks).\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Missing security headers which do not lead directly to a vulnerability\n* Clickjacking on static websites\n* Content spoofing / text injection\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Issues related to software or protocols not under Twitter control\n* Reports from automated tools or scans\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-10T17:44:02.686Z"},{"id":1429360,"new_policy":"# Program Rules\n\nMaintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.  Please review the following program rules before you report a vulnerability.  By participating in this program, you agree to be bound by these rules.\n\n## Rewards\n\nTwitter may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD.  There is no maximum reward. Reward amounts may vary depending upon the severity of the vulnerability reported. Twitter will determine in its discretion whether a reward should be granted and the amount of the reward.  This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.\n\nThe following table outlines the minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope): \n\n|Vulnerability | Minimum|\n------------- | -------------|\n|Remote Code Execution | $10,000|\n|Significant Authentication Bypass | $5,000|\n|Cross Site Scripting that can perform critical actions [1] [2] | $2,500|\n|Cross Site Request Forgery on critical actions [1]| $2,500|\n|All other Cross Site Scripting [2] | $1,000|\n|All other Cross Site Request Forgery | $250|\n|||\n\n[1] Critical actions include (but are not limited to) tweeting, retweeting, favoriting and direct messaging. In addition, vulnerabilities requiring user interaction generally will qualify for lower award amounts.\n[2] Excluding self-XSS.\n\n## Scope\n\nThe following sites and applications are in scope for this program:\n* *.twitter.com\n* vine.co\n* Fabric SDK\n* Twitter for iOS\n* Twitter for Android\n* Vine for iOS\n* Vine for Android\n\nVulnerabilities reported on other Twitter properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our [Hall of Fame](https://hackerone.com/twitter/thanks).\n\n## Reporting Possible Vulnerabilities\n\nYou must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.\n\nIf you have an issue that affects only your own account such as unintended Tweets, DMs, or follows, abuse, harassment, spam, or phishing, please [find the appropriate form here](https://support.twitter.com/forms/).\n\nIf you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.\n\n## Eligibility and Responsible Disclosure\n\nWe are happy to thank everyone who submits valid reports which help us improve the security of Twitter!  However, only those that meet the following eligibility requirements may receive a monetary reward: \n\n* You must be the first reporter of a vulnerability. \n* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).\n* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria a national of other certain countries, or on a denied parties or sanctions list). \n* You may not publicly disclose the vulnerability prior to our resolution.\n\n## Qualifying Vulnerabilities\n\nAny design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Remote Code Execution (RCE)\n* Unauthorized Access to Protected Tweets\n* Unauthorized Access to DMs\n\n## Non-Qualifying Vulnerabilities\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.\n\nPlease refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.\n\nThe following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):\n\n* Attacks requiring physical access to a user's device\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)\n* Login/logout CSRF\n* Password and account recovery policies, such as reset link expiration or password complexity\n* Missing security headers which do not lead directly to a vulnerability\n* Clickjacking on static websites\n* Content spoofing / text injection\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Issues related to software or protocols not under Twitter control\n* Reports from automated tools or scans\n* Reports of spam ([see here for more info](https://support.twitter.com/articles/64986-reporting-spam-on-twitter))\n* Bypass of URL malware detection\n* Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n* Social engineering of Twitter staff or contractors\n* Any physical attempts against Twitter property or data centers\n\n## The Fine Print\n\nYou must comply with all applicable laws in connection with your participation in this program.  You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time.  We won’t apply any changes we make to these program terms retroactively. \n\nReports received prior to the paid bug bounty program launch (10:30 AM PST on September 3, 2014) are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-05-04T17:12:52.722Z"},{"id":1413401,"new_policy":"\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-04-27T22:26:12.889Z"}]