At Snapchat, we are looking forward to fostering new relationships with the security community. Our security team reviews all vulnerability reports and acts upon them in accordance with responsible disclosure.

Eligibility

To qualify for a reward under this program, you must:

• Be the first to report a specific vulnerability.

• Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.

• Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we addressed your report forfeit the reward.

• Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.

Rewards

We will reward reports according to their severity on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs; we may also pay less for bugs with complex prerequisites that lower risk of exploitation. Our minimum reward is $250 USD.

We are particularly interested in the following categories of security bugs. Here are the current minimum payments for each:

| Severity | Vulnerability | Minimum[1] |

| ------------- |:------------- |:-------------:|

| Critical | Server-Side Remote Code Execution (e.g. command injection) | $35,000 |

| | Remote Code Execution on Spectacles | $25,000 |

| High | Significant Authentication Bypass / Logic Flaw | $15,000 |

| Medium | Unrestricted File System Access (Server-side or Spectacles) | $10,000 |

| Low | XSS or XSRF With Significant Security Impact | $4,000 |

[1] Note that these minimums are for Snapchat’s core applications and websites as listed in the “In Scope” section below. Bounties for non-core websites may vary and be lower than the minimums listed in this table. This depends on the nature of the non-core website and is subject to the discretion of the reward panel. For example, if a non-core website is going to be deprecated, a bug in this non-core website may be considered to be lower priority than a bug in our core applications or websites as listed above. This will be reflected in the bounty amount.

Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.

Non-qualifying vulnerabilities and exclusions

• Social engineering attempts on our staff including phishing emails

• Attempts to access our offices or data centers

• Vulnerabilities in a vendor we integrate with

• Use of automated tools that could generate significant traffic and possibly impair the functioning of our application

• Reports solely indicating a lack of a possible security defense such as certificate pinning. We constantly make security improvements to our product offering.

• Screenshot detection avoidance. This exclusion may be lifted under reasonable constraints in the future.

• Two-factor authentication bypass that requires physical access to a logged-in device.

• Scan's mobile and desktop applications are not currently in scope.

• Attacks that require physical access to or modification of the hardware are not in scope

• The mostly static support website hosted on https://support.snapchat.com/ is not in scope.

• The Spectacles charging case is not in scope.

• Vulnerabilities that are already known (e.g. discovered by an internal team)

• Passive mixed content on web pages

• Open redirect with low security impact. If you can chain with other vulnerabilities (e.g. steal OAuth tokens, SSRF, etc.) we are still interested in hearing about them.

• Generic information disclosure(e.g. Stack trace) without additional impact

• Issues that merely result in spam/annoyance without additional impact (e.g sending emails without sufficient rate limiting)

• For desktop applications (e.g. Snap Camera), local user attackers, i.e. control of a local user account to get privilege escalation.

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

Additionally, the following reports do not qualify for a reward:

• Lack of email address verification during account registration. We are currently making improvements to our registration flow.

• Local access to user data when operating a rooted mobile device.

• Tampering with the host header in the request and receiving a redirect to a safe domain. This is handled by Google AppEngine itself; it is not specific to Snapchat and we do not find issues with it.

• Support for RC4 in SSL/TLS negotiation. For our domains scoped in this rewards program, SSL/TLS is handled by Google AppEngine itself and Google routinely reviews its cipher suite support.

Legal

If you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.

We, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over an award --whether to give one and in what amount-- is a decision that lies entirely within our discretion.

Finally, and needless to say, please do not violate any laws when conducting your tests.