Statuspage launched in 2013 to give companies a better way to be more transparent with their customers. We recognize managing a status page outside of one’s own infrastructure can be a hassle, and hope to increase the transparency of the web by making it easier to do so.

Before you begin, please read and understand the Standard Disclosure Terms.

Below is a list of some of the vulnerability classes that we are seeking reports for:

• Server-side Remote Code Execution (RCE)
• Server-Side Request Forgery (SSRF)
• Stored/Reflected Cross-site Scripting (XSS)
• Cross-site Request Forgery (CSRF)
• SQL Injection (SQLi)
• XML External Entity Attacks (XXE)
• Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
• Path/Directory Traversal Issues

Ensure you review the out of scope and exclusions list for further details.

Accessing Statuspage

Please visit <https://manage.statuspage.io/security-researcher> to identify yourself as a security researcher, this will give you a free account for a month. You'll need to create an account and log in to view this page.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.