Algolia is committed to working with security experts across the globe to stay
up to date with the latest security techniques. If you have discovered a
security issue that you believe we should know about, we'd welcome working
with you. Please let us know about it and we'll make every effort to quickly
correct the issue.
DO NOT use automated scanning tools
- Website related endpoints on www.algolia.com __
- API related endpoints on .algolia.net or .algolianet.com
Minimum reward is $100 for security vulnerabilities. The reward depends on the
vulnerability severity and will be paid via HackerOne only. Every researcher
with accepted vulnerability will be mentioned on
Issues without security impact are not eligible for a bounty, yet still
welcomed and will be treated like any other report.
- You must be the first reporter of the vulnerability.
- You follow https://hackerone.com/disclosure-guidelines
- You do not access data of other users and solely use your created accounts.
- You may not publicly disclose the vulnerability prior to our resolution.
- You are not an individual on, or residing in any country on, any U.S. sanctions lists.
- You provide a working proof of concept that exploits the security issue
- Login/Logout CSRF
- Social engineering on customers or employees of Algolia
- Self-XSS (we require evidence on how the XSS can be used to attack another Algolia user)
- Miss of rate limits
- Report from automated tools and scans
- Vulnerabilities sending spam or unauthorised messages
- Bugs in 3rd party software
- X-Frame-Options related
- Customer's sites
- Relating to HSTS
- Missing security headers which do not lead directly to a vulnerability
- Physical attack on the infrastructure
- Theoretical attacks
- Breaking of SSL/TLS trust
- Compromising of browser/device (ex. computer sharing, physical access to a user's device, ...)
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- Password and account recovery policies, such as reset link expiration or password complexity
- Vulnerabilities without solution on our side (HEIST, ...)
- Outdated DNS record pointing to system which does not belong to Algolia