Banner object (1)

Hack and Take the Cash !

851 bounties in database
  Back Link to program      
SEMrush logo
Hall of Fame


100 $ 


No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Program Rules:

  • Automated testing is not permitted.
  • Follow HackerOne’s Disclosure Guidelines.
  • Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.
  • When duplicates occur, we award the first report that we can completely reproduce.
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • We award bounties at time of validation, and will keep you posted as we work to resolve them.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.


Please follow the report template that we provided to minimize the response time and increase your chance to get a worthy reward.


Since a large part of our product is paid, we give researchers who proved themselves a promo-code for a paid SEMrush functionality. If you want to dive deeper into testing our product, write to us in an existing valid report and we will give you a promo-code. To decide whether to issue it or not we will look at your signal/impact/reputation on H1 platform and the reports you previously sent us. The final decision on issuing a promo-code rests with the SEMrush security team.


Your requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.

While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of SEMrush staff or contractors
  • Any physical attempts against SEMrush property or data centers
  • CSRF - site wide and known issue
  • Any issues related to software not under SEMrush’s control

The following bugs are unlikely to be eligible for a bounty:

  • Missing DNSSEC settings (we're working it)
  • Issues found through automated testing
  • "Scanner output" or scanner-generated reports
  • Attacks requiring physical access to a user's device
  • Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages
  • Brute Force attacks
  • Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues
  • Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections
  • Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)
  • SSL/TLS best practices that do not contain a fully functional proof of concept
  • Tab nabbing and window.opener-related issues
  • Vulnerabilities affecting users of outdated browsers, plugins or platforms
  • Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
  • Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
  • Bugs that do not represent any security risk - these should be reported to
  • IDN homograph attacks

API/API key related bugs

When you test requests to API or with API key - be careful - change api key to test auth issues not cookies.

Thank you for helping keep SEMrush and our users safe!

In Scope

Scope Type Scope Name







Out of Scope

Scope Type Scope Name




The public program SEMrush on the platform Hackerone has been updated on 2019-08-03, The lowest reward is 100 $.

FireBounty © 2015-2019

Legal notices