Last updated: 2017.02.03.
To join the program you should read this whole page, and only proceed if you are OK with everything.
If you disclose your findings responsibly, we will not bring any lawsuit against you or launch any investigation into you. The most important rules of responsible disclosure are:
There are some domains (listed below) that are more important to us right now. Please focus on these. If you responsibly disclose anything outside the scope and we make changes in our code base based on your submission, you will also be rewarded. However, this is done at our discretion, and please remember that the scope gives bug hunters legal protection.
The following domains (and every web service accessible on them) are the most important for us right now:
Please note that although the backends for our iPad and desktop applications are in scope, the applications themselves are not; therefore they are not eligible for any bounty. The same applies to any 3rd party services we use:
We really don’t have the right to allow you to hack those. Please resolve our subdomains before any testing to verify if they are not pointing to some external / 3rd party service.
The basic reward for eligible vulnerabilities for the first person to report one is 200 USD; however we will increase it at our discretion for distinctly creative or severe bugs. If you would like to, we would be happy to grant you an additional free Plus subscription for a year and add your name to our Security Hall of Fame.
Submissions of web vulnerabilities with a valid attack scenario, which demonstrate exploitability and have significant impact on our users can be eligible for a reward (e.g. XSS, Authentication bypass, SQL Injection, Remote code execution…). We reserve the right to decide if the submission should be rewarded with a bounty.
In general, the following would not meet the threshold required for severity:
The following table shows illustrative examples of estimated expectable bounties for different vulnerability types:
Vulnerability type | Estimated bounty ($)
Open redirect | 200
Stored XSS | 750
Reflected XSS | 500
CSRF (prezi content change) | 500
CSRF (language settings change) | 200
Prezi account takeover (not password bruteforce/guessing) | 1000
SQL injection on auth. table | 1000
Remote code execution | 1500
Just drop a mail to firstname.lastname@example.org [PGP] with enough information for us to reconstruct the attack. We’ll reach out to you once we have processed your mail. In case you have found multiple vulnerabilities, please send them in separate emails to help us keep track of them.
We believe in transparency, therefore every time we receive and start to process a vulnerability report we will create a private gist (gist.github.com) with the following details: timestamp of the incoming mail, vulnerability type, affected service / domain, researcher contact (if agreed to share).
Please note that by design these details will not be detailed enough to fully reproduce the attack.
The gists will only be shared with researchers who send us a previously reported vulnerability and they will be deleted one week after the fix for the issue is out.
We use a scoring system, which takes into account the bug's impact on the target host regarding confidentiality and integrity, the access level required by a successful exploit (see CVSS C,I,AC), and its' damage potential on our systems (globally). If an attack uses multiple vulnerabilities, we score them individually and sum the points up. Only the previously unknown bugs are scored.
In some cases - like when you chain multiple bugs together - bonus points are granted.
We constructed the scoring system to fit our past payouts, but there is no guarantee the future points and the actual payouts will equal. Also note, we might change the methodology later on. Future changes won't affect the points that were given previously.