Program Rules

Maintaining effective security is a community effort, and we are proud to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.

Rewards

Twitter may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $140 USD. Rewards are typically paid out on Fridays. The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope).

Category | Examples | Core Twitter[1] | Everything Else
---|---|---|---
Remote code execution | Command injection | $20,160 | $10,080
Administrative functionality | Access to internal Twitter applications | $12,460 | $6,300
Unrestricted access to data (filesystem, database, etc.) | XXE, SQLi | $12,460 | $6,300
Flaws leaking PII or bypassing significant controls | IDOR, impersonation, sensitive actions by user | $7,700 | $3,920
Account takeover | OAuth vulnerabilities | $7,700 | $3,920
Perform activities on behalf of a user | XSS, Android Intent abuse | $2,940 | $1,540
Other valid vulnerabilities | CSRF, clickjacking, information leakage | $280 - $2,940 | $140 - $1,540

[1] Core Twitter is defined as anything hosted on *.twitter.com, *.pscp.tv, *.periscope.tv, and Twitter owned-and-operated mobile clients.

Twitter may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction.

Report Eligibility

Any design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The Google Bug Hunters University guide may be useful in considering whether an issue has security impact.

Only reports that meet the following requirements are eligible to receive a monetary reward:

• You must be the first reporter of the vulnerability
• The vulnerability must demonstrate security impact to a site or application in scope (see below)
• You must not have compromised the privacy of our users or otherwise violated the Twitter Rules
• You must not have publicly disclosed the vulnerability prior to the report being closed, in compliance with the process described in the HackerOne Vulnerability Disclosure Guidelines
• We are not legally prohibited from rewarding you

Depending on their impact, issues may qualify for a monetary reward; all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.

When researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

• Attacks requiring physical access to a user's device
• Any physical attacks against Twitter property or data centers
• Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
• Logout CSRF
• Password and account recovery policies, such as reset link expiration or password complexity
• Invalid or missing SPF (Sender Policy Framework) records
• Content spoofing / text injection
• Issues related to software or protocols not under Twitter control
• Reports of spam (see here for more info )
• Bypass of URL malware detection
• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
• Social engineering of Twitter staff or contractors
• Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
• Issues that result in Denial of Service (DoS) to Twitter's servers at the network or application layer.

If you believe your account has been compromised, please contact Twitter support directly .

Fine Print

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.