A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: mailto:vulnerabilities@strava.com
Preferred-Languages: en
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/198819A2227BCA4B1E059691E4D25BF811E7612D
Expires: 2026-10-31T00:00:00.000Z

# Policy

## Reporting abusive behavior, spam, etc.

Please visit https://support.strava.com/ and follow the instructions there to 
report any issues that do not have security impact. 

## Reporting a security issue

Please contact the email address in this file, following the report formatting
instructions below under "Formatting an acceptable vuln report".

Happy hunting :)

## Formatting an acceptable vuln report

Please help us help you by ensuring that we can validate and reproduce the 
issue(s) you have found! So that we can validate your report, please ensure 
your report includes the following components:

- issue scope (to a subdomain, an endpoint(s), a client(s), etc.), 
- a description of what you expected to or assumed would occur, 
- a description of what actually happened when you tested, 
- all needed reproduction steps to cause the issue, 
- any payload(s) needed for reproduction, 
- a description of impact (i.e., why you believe the issue you found negatively
  impacts Strava or Strava athletes' security or privacy), and finally
- a screenshot or a short screen-capture video showing the issue.

If you'd like to report vulns on a more regular basis, please follow the 
instructions below under "Bug bounty program".

## Bug bounty program

Strava's bug bounty program (BBP) is on HackerOne.

In order to join our BBP, please follow the formatting instructions in this 
file to submit an initial vulnerability report. Your addition to the 
BBP on a regular basis depends on the quality and professionalism of your 
reporting, and of your communication with Strava more generally.

Note that just asking to be added to the BBP (i.e., *without* submitting 
an initial report) is against HackerOne rules and the rules of our program, 
will *not* result in your addition to the program, and could potentially result 
in your account being reported to HackerOne. 

Strava may remove any researcher from our BBP at any time without notice.

## BBP evaluation and rewards

Generally, vuln reports which: 
- are received via the email address in this file or our HackerOne program, 
- AND adhere to our program scope,
- AND adhere to the format noted in "Formatting an acceptable vuln report",
- AND can be validated by HackerOne triage and Strava
can be considered for a potential reward. 

If a report is rewarded, the reward amount will be calculated following the 
scale published on Strava's HackerOne program page. This reward scale is 
currently based on CVSS 3.0 severity as calculated by the security researcher 
and adjusted by HackerOne and Strava as part of the report evaluation process.

Also note that obviously AI-generated reports, reports on out-of-scope 
assets, and reports containing unprofessional language will be closed N/A
without guarantee of further review.