Banner object (1)

4217 policies in database
  Back Link to program      
Dashlane logo
Hall of Fame


100 $ 


Dashlane recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page. If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Coordinated Disclosure Guidelines

  • Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue.
  • Provide us a reasonable amount of time to respond and/or fix the issue.
  • Make a good faith effort to not leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.
  • Please refrain from automated/scripted account creation.


At this time, the scope of our bug bounty program includes ::

  • The autofill/autologin ability of our extensions : Especially any vulnerability that could allow a remote attacker to force the extensions to send credentials to a rogue site.
  • Our website, , in particular:
  • Our APIs endpoints:
  • The native client applications on Mac OS and Windows.
  • The native client application on IOS
  • The native client application on Android
  • Our standalone extensions (chrome, edge, FF), see the asset section.
  • The business features (SAML, Group sharing, Emergency, etc.).

Bounty Eligibility

Dashlane may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD, but reward amounts may vary depending upon the severity of the vulnerability reported. Dashlane reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

To qualify for a reward under this program, you should:

  • Be the first to report a specific vulnerability.
  • Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.
  • Disclose the vulnerability report directly and exclusively to us. Public disclosure or disclosure to other third parties -- including vulnerability brokers -- before we addressed your report will forfeit the reward.
  • Don't use youtube or any public service even unlisted to post videos
  • Create one report by vulnerability


  • All the hosts not listed bellow (please don't send reports for unlisted hosts)
  • Content spoofing (urls in invites, etc.)
  • Missing security headers which do not lead directly to a vulnerability
  • Self inflicted XSS
  • Missing best practices (we require evidence of a security vulnerability)
  • Missing cookie flags on non-sensitive cookies
  • Any report that discusses how you can learn whether a email address has a Dashlane account.
  • Disclosure of tools, libraries used by Dashlane and/or their versions
  • The "limited access" feature for the shared credentials can be circumvented ( )
  • Bugs that involve physical attacks or social engineering against Dashlane offices or employees, spamming, malware distribution, or denial of service attacks.
  • The referral program allows to obtain 6 month free membership (cumulative until 2 years) for each invite (on purpose)
  • Attacks on desktop apps that require prior control of the host system (keylogger, memory dumping).
  • For subdomain takeovers related issues, please check your claim before reporting to avoid false positives.
  • SPF/DMARC remarks
  • Any reports that cover issues that are not in the scope of this program will be closed as N/A
  • Dead Linkedin links in our Team page ( ), we do our best to keep it up to date and we don't think that H1 researchers squatting team profile is a useful for anyone.
  • Expired certificates

If you discover an out-of-scope bug in Dashlane while looking for security issues, you can report it to us by emailing our support team at or

Thank you for helping keep Dashlane safe!

In Scope

Scope Type Scope Name






mobile_applications manager/9pp8m6lpfkgf


It 's the standalone edge extension manager/9pp8m6lpfkgf






web_application manager/fdjamakpfbbddfjaooikfcpapjohcfmg

This program feature scope type like ios_application, application, mobile_applications, web_application, android_application.

FireBounty © 2015-2020

Legal notices