Maintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.
Twitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope).
Category | Examples | Core Twitter | Everything Else
Remote code execution | Command injection | $20,160 | $10,080
Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300
Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300
Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920
Account takeover | OAuth vulnerabilities | $7,700 | $3,920
Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540
Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540
 Core Twitter is defined as anything hosted on
*.periscope.tv, and Twitter owned-and-operated mobile clients.
Twitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction.
Any design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The Google Bug Hunters University guide __may be useful in considering whether an issue has security impact.
Only reports that meet the following requirements are eligible to receive a monetary reward:
Depending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.
When researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
If you believe your account has been compromised, please contact Twitter support directly __.
You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.
We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.
Contact us if you want more information.