17619 policies in database
Link to program      
zendesk : Bug Bounty Program – Help Center logo

zendesk : Bug Bounty Program – Help Center

The Tumblr Bug Bounty Program was designed for those security-conscious users

who help keep the Tumblr community safe from criminals and jerks. If you

submit a bug that is within the scope of the program (as defined below), we

will gladly reward you for your keen eye. Also, by submitting you agree that

your submissions are subject in relevant part to Tumblr’s Application

Developer and API License Agreement.

The security of Tumblr, and our users is always a top priority for us. We look

forward to working with the security community and invite security researchers

to report security vulnerabilities that are identified in our products.


Tumblr offers rewards for eligible reporters of qualifying vulnerabilities

based on severity and completeness of the submission, as determined by the

Tumblr security team. Awards are granted entirely at the discretion of Tumblr.

Rewards may range from Tumblr-branded swag to monetary rewards up to $5,000

USD. Tumblr will determine, fully in its discretion, if a reward will be

rewarded and the amount of the reward. The more unique or severe the

vulnerability, the higher we will pay. On the other hand, vulnerabilities that

require significant or unusual user interaction will receive lower rewards.

Depending on the findings, some awards may be consolidated into a single

payout. For example, multiple reports of the same vulnerability across

different parameters of a resource, or demonstrations of multiple attack

vectors against a fundamental framework issue.

Eligibility and Responsible Disclosure

We are extremely happy to receive a report from everyone who submits one.

However, to be eligible for a reward, you must meet the following


  • You must be the first to report the issue to us.

  • The issue must be a qualifying vulnerability (see below) and affect an in-scope application (see above).

  • This program does not allow for public disclosure of the vulnerability without expressed permission. If you wish to disclose the report, we require that you ask us first.

Violation of any of these rules can result in ineligibility for a bounty

and/or removal from the program.


The following domains and apps are within the scope of the program:

  • www.tumblr.com

  • api.tumblr.com

  • safe.tumblr.com

  • secure.tumblr.com

  • assets.tumblr.com

  • embed.tumblr.com

  • Tumblr for iOS

  • Tumblr for Android

Qualifying Vulnerabilities

Common examples of vulnerabilities that qualify for a reward include, but are

not limited to:

  • Cross Site Scripting (XSS)

  • Cross Site Request Forgery (CSRF)

  • Authentication or authorization bypass

  • Remote Code Execution

  • Local or Remote File Inclusion If you’re unsure of whether or not your issue qualifies, imagine what the attack scenario would be like. For instance, can it negatively affect other Tumblr users?

Exclusions from eligibility

Though every report is reviewed, your submission may not qualify for a

monetary reward. At minimum, any report that results in a change will be

rewarded with swag.

We request that you refrain from accessing private information or performing

actions that may negatively affect other Tumblr users. Additionally, DO NOT

submit reports generated by automatic tools without verifying them first.

The following is a list of topics that are excluded from the Tumblr bug bounty


  • Non-responsible disclosure

  • Issues that we are already aware of or have been previously reported

  • JavaScript on the Blog Network (e.g. [blog].tumblr.com)

  • “Self” XSS

  • Cross-Site Request Forgery with minimal security impact (e.g. “logout CSRF”)

  • Account enumeration

  • Denial of Service attacks

  • SSL/TLS best practices

  • Incomplete or missing SPF/DKIM

  • General best practice concerns

  • Attacks requiring physical access to a user’s device

  • Social Engineering of Tumblr employees

  • Physical access to Tumblr properties or data centers

  • Reports of spam or copyright material


In connection with your participation in this program you agree to comply with

all applicable local and national laws.

Tumblr reserves the right to change or modify the terms of this program at any


You may not participate in this program if you are a resident or individual

located within a country appearing on any U.S. sanctions lists.

Vulnerabilities obtained by exploiting Tumblr users or employees are not

eligible for a bounty and may result in immediate disqualification from the


Tumblr has never given permission/authorization (either implied or explicit)

to an individual or group of individuals to extract personal information or

content of Tumblr users and publicize this information on the open, public-

facing Internet without user consent, nor has Tumblr ever given permission for

programs or data belonging to Tumblr to be modified or corrupted in order to

extract and publicly disclose data belonging to Tumblr.

Tumblr employees and contingent workers, as well as their immediate family

members and persons living in the same household, are not eligible to receive

bounties or rewards of any kind under any Tumblr programs, whether hosted by

Tumblr or any third party.

Final notes

We will make the final decision on bug eligibility and value. Don’t treat this

program like a game or competition, let alone the foundation of a business

plan. The program exists entirely at our discretion and may be canceled at any

time. That said, thanks in advance for helping us out here.

Submit a bug

This program crawled on the 2015-06-30 is sorted as bounty.

FireBounty © 2015-2021

Legal notices