The Tumblr Bug Bounty Program was designed for those security-conscious users
who help keep the Tumblr community safe from criminals and jerks. If you
submit a bug that is within the scope of the program (as defined below), we
will gladly reward you for your keen eye. Also, by submitting you agree that
your submissions are subject in relevant part to Tumblr’s Application
Developer and API License Agreement.
The security of Tumblr, and our users is always a top priority for us. We look
forward to working with the security community and invite security researchers
to report security vulnerabilities that are identified in our products.
Tumblr offers rewards for eligible reporters of qualifying vulnerabilities
based on severity and completeness of the submission, as determined by the
Tumblr security team. Awards are granted entirely at the discretion of Tumblr.
Rewards may range from Tumblr-branded swag to monetary rewards up to $5,000
USD. Tumblr will determine, fully in its discretion, if a reward will be
rewarded and the amount of the reward. The more unique or severe the
vulnerability, the higher we will pay. On the other hand, vulnerabilities that
require significant or unusual user interaction will receive lower rewards.
Depending on the findings, some awards may be consolidated into a single
payout. For example, multiple reports of the same vulnerability across
different parameters of a resource, or demonstrations of multiple attack
vectors against a fundamental framework issue.
We are extremely happy to receive a report from everyone who submits one.
However, to be eligible for a reward, you must meet the following
You must be the first to report the issue to us.
The issue must be a qualifying vulnerability (see below) and affect an in-scope application (see above).
This program does not allow for public disclosure of the vulnerability without expressed permission. If you wish to disclose the report, we require that you ask us first.
Violation of any of these rules can result in ineligibility for a bounty
and/or removal from the program.
The following domains and apps are within the scope of the program:
Tumblr for iOS
Tumblr for Android
Common examples of vulnerabilities that qualify for a reward include, but are
not limited to:
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
Authentication or authorization bypass
Remote Code Execution
Local or Remote File Inclusion If you’re unsure of whether or not your issue qualifies, imagine what the attack scenario would be like. For instance, can it negatively affect other Tumblr users?
Though every report is reviewed, your submission may not qualify for a
monetary reward. At minimum, any report that results in a change will be
rewarded with swag.
We request that you refrain from accessing private information or performing
actions that may negatively affect other Tumblr users. Additionally, DO NOT
submit reports generated by automatic tools without verifying them first.
The following is a list of topics that are excluded from the Tumblr bug bounty
Issues that we are already aware of or have been previously reported
Cross-Site Request Forgery with minimal security impact (e.g. “logout CSRF”)
Denial of Service attacks
SSL/TLS best practices
Incomplete or missing SPF/DKIM
General best practice concerns
Attacks requiring physical access to a user’s device
Social Engineering of Tumblr employees
Physical access to Tumblr properties or data centers
Reports of spam or copyright material
In connection with your participation in this program you agree to comply with
all applicable local and national laws.
Tumblr reserves the right to change or modify the terms of this program at any
You may not participate in this program if you are a resident or individual
located within a country appearing on any U.S. sanctions lists.
Vulnerabilities obtained by exploiting Tumblr users or employees are not
eligible for a bounty and may result in immediate disqualification from the
Tumblr has never given permission/authorization (either implied or explicit)
to an individual or group of individuals to extract personal information or
content of Tumblr users and publicize this information on the open, public-
facing Internet without user consent, nor has Tumblr ever given permission for
programs or data belonging to Tumblr to be modified or corrupted in order to
extract and publicly disclose data belonging to Tumblr.
Tumblr employees and contingent workers, as well as their immediate family
members and persons living in the same household, are not eligible to receive
bounties or rewards of any kind under any Tumblr programs, whether hosted by
Tumblr or any third party.
We will make the final decision on bug eligibility and value. Don’t treat this
program like a game or competition, let alone the foundation of a business
plan. The program exists entirely at our discretion and may be canceled at any
time. That said, thanks in advance for helping us out here.
This program crawled on the 2015-06-30 is sorted as bounty.