Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
PullString logo
Hall of Fame


100 $ 


While no technology is perfect, PullString believes that working with skilled security researchers across the globe is crucial to identifying and addressing weaknesses. PullString practices a Responsible Disclosure policy. If you believe you have found a security issue in our products or service, we encourage you to notify us. We will work closely with you to resolve the issue promptly.

Responsible Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue.
  • Please include as many technical details as possible so that our security team can reproduce and confirm the issue in question.
  • Once a security issue has been confirmed, our goal is to issue an update for the affected product(s) within 60 days. However, please provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Posting details or conversations about a report before it has been approved for disclosure, especially for high-severity bugs, will result in immediate disqualification from the program.

Bounty Program

To show our appreciation of responsible security researchers, PullString offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability. Eligibility and award size is at our sole discretion.

Eligibility Requirements

  • Open to anyone in the security community
  • Employees and contractors of PullString are ineligible to claim bounties but may submit bug reports


Qualifying bugs will be rewarded based on severity. Our minimum reward is $100 USD, and our maximum reward is $5,000 USD. Rewards are only granted for new and previously unidentified vulnerabilities and are granted entirely at the discretion of PullString.


Any PullString service or product that handles sensitive user data is intended to be in scope. The primary such product is the PullString Converse web app at __. The Converse app does not offer a free trial so security researchers must first contact us and provide an email address to receive an account invitation.

We cannot grant authorization to test services managed by third-party providers, so any third-party services that PullString uses are specifically excluded from the scope of this program, such as __or __. This also includes our marketing site, __, which is hosted on a third-party service where we have very limited control over the security settings.

Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

  • Cross-site scripting
  • SQL injection
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Privilege escalation


The following conditions are out of scope for purposes of the bug bounty program and are not eligible for a bounty payment:

  • User enumeration or brute forcing account passwords
  • Cross-site Request Forgery
  • Reports mentioning SSL/TLS or HTTPS best practices
  • Reports mentioning weaknesses in SSL/TLS ciphersuites
  • Reports mentioning SPF, DKIM, or DMARC policies
  • Missing cookie flags on non-sensitive cookies
  • Missing HTTP security headers
  • Distributed Denial of Service (DDoS) or other high-volume network attacks
  • Spamming
  • Manipulating or replacing components of any hardware based products
  • Any vulnerability obtained through the compromise of a PullString employee or contractor account. This type of activity will result in immediate and permanent disqualification from the program.
  • Any vulnerability found through automated tools, port scans, or other means of large automated exploitation.
  • Social engineering (including phishing) of PullString staff or contractors
  • Any physical attacks against PullString property or data centers
  • Any infringement of a third party’s intellectual property
  • Services that are not managed by PullString
  • Mattel websites and services

Legal Considerations

  • Do not break the law
  • We cannot reward individuals on sanction lists or who are residing in countries on sanction lists
  • Avoid privacy violations, downloading personally identifiable information, destruction of data, and interruption or degradation of our service
  • Only interact with accounts and hardware products you own or with explicit permission of the account holder

Thank you for helping keep PullString and our users safe!

FireBounty © 2015-2019

Legal notices