No technology is perfect, and SEMrush believes that working with skilled
security researchers across the globe is crucial in identifying weaknesses in
any technology. If you believe you've found a security issue in our product or
service, we encourage you to notify us. We welcome working with you to resolve
the issue promptly.
- Automated testing is not permitted.
- Follow HackerOne’s Disclosure Guidelines.
- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.
- When duplicates occur, we award the first report that we can completely reproduce.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- We award bounties at time of validation, and will keep you posted as we work to resolve them.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.
Please follow the report template that we provided to minimize the response
time and increase your chance to get a worthy reward.
Since a large part of our product is paid, we give researchers who proved
themselves a promo-code for a paid SEMrush functionality. If you want to dive
deeper into testing our product, write to us in an existing valid report and
we will give you a promo-code. To decide whether to issue it or not we will
look at your signal/impact/reputation on H1 platform and the reports you
previously sent us. The final decision on issuing a promo-code rests with the
SEMrush security team.
Your requests can be blocked by the WAF solution we use. So if you get error
445, but you feel that you have found a vulnerability and you have serious
reasons to believe that the vulnerability really exists - you can write to us
about it on the report, we will investigate your case and maybe temporary add
your IP to the white list.
While researching, we'd like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of SEMrush staff or contractors
- Any physical attempts against SEMrush property or data centers
- CSRF - site wide and known issue
- Any issues related to software not under SEMrush’s control
The following bugs are unlikely to be eligible for a bounty:
- Missing DNSSEC settings (we're working it)
- Issues found through automated testing
- "Scanner output" or scanner-generated reports
- Attacks requiring physical access to a user's device
- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages
- Brute Force attacks
- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues
- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections
- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)
- SSL/TLS best practices that do not contain a fully functional proof of concept
- Tab nabbing and window.opener-related issues
- Vulnerabilities affecting users of outdated browsers, plugins or platforms
- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
- Bugs that do not represent any security risk - these should be reported to email@example.com
- IDN homograph attacks
API/API key related bugs
When you test requests to API or with API key - be careful - change api key to
test auth issues not cookies.
Thank you for helping keep SEMrush and our users safe!