Security and privacy are core concepts at Grammarly. Grammarly looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.

Rules for us

• We offer a safe harbor (defined below) to all activities that are consistent with this policy.

• We respect the time and effort of our researchers.

• We will do our best to keep you informed about our progress throughout the process.

• We will try to award a bounty for a successfully validated report in 3 days after the triage.

• We will not respond to threats or negotiate under duress.

Rules for you

• Be an ethical hacker.

• Respect privacy: Only interact with test Grammarly accounts you own.

• Avoid testing that would result in privacy violations, destruction of data, or interruption or degradation of our service.

• Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Grammarly.

• Follow disclosure guidelines during the triage and after the successful remediation of the vulnerability.

Grammarly CTF - $100K bounty

The first hacker who reports the $FLAG saved in the document (document_id: 1198436185) of the user h1_ctf@grammarly.com (user_id: 1411519194) will be awarded a $100K bounty.

Scope

• *.grammarly.com - list of *.grammarly.com subdomains.

• *.grammarly.io

• *.grammarlyaws.com

• *.grammarly.ai

• Browser Extensions for Chrome, Safari, Firefox, Edge

• Grammarly Desktop – desktop applications for macOS and Windows. Windows app requires at least Windows 10 version 1903 to run.

• Grammarly Editor for Microsoft Windows and macOS – Electron-powered desktop application for macOS and Windows. Only security issues with “"Network”" attack vector are eligible for reporting.

• Add-On for Microsoft Word and Outlook - Grammarly add-on for MS Word and Outlook for Windows, powered by .NET.

• Add-On for Microsoft Word - Grammarly add-on for MS Word for macOS and Windows, powered by JS SDK.

• Mobile keyboards and applications for Android and iOS

> Vulnerabilities in the Grammarly Keyboard for Android with a working proof of concept may qualify for an additional bounty through the Google Play Security Rewards Program. To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Vulnerability Criteria.

Rewards

• We determine the value of the reward based on the impact and severity of the reported vulnerability. The final reward decisions are up to the discretion of the Grammarly Security team.

• When duplicates (including internally known issues) occur, we only award the first report that we receive.

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Common vulnerabilities excluded from the scope

• Social engineering (e.g., phishing, vishing, smishing) of Grammarly employees and users is strictly prohibited.

• Clickjacking, CSRF, and content spoofing issues without demonstrable security impact.

• CSV injection.

• Publicly known vulnerable libraries without a working Proof of Concept.

• Stack traces, path disclosure, and directory listings.

• Self-XSS or having a user paste JavaScript into the browser console.

• Vulnerabilities in outdated versions of Grammarly software.

• Issues relating to non-Grammarly products.

• Any activity that could lead to the disruption of our service (DoS).

• Reports that include only crash dumps or other automated tool output without a proof of concept code.

• Open ports scanning, banner grabbing, and software version disclosure issues.

• MITM attacks on secure connection and “Mixed Content” issues.

• Vulnerabilities that require root-level permissions or physical access to a targeted device.

• Issues that affect only outdated user agents or unsupported platforms.

• Issues related to the missing address bar in Grammarly’s desktop app.

Non-qualifying best practices

• Missing cookie flags on non-authentication cookies.

• Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).

• Missing best practices in SSL/TLS configuration.

• Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.

• Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).

Non-qualifying business issues

• Institution access code enumeration or demonstrating access codes leaked in internet forums.

• Credential re-usage from public dumps

• UUID enumeration of any kind

• Ability to determine if a username or email has a Grammarly account, also known as account oracle.

• Signing up with multiple accounts to abuse referral code usage

• Password length, complexity, and re-use requirements

• Email verification feature

• Sharing Premium accounts with other users isn’t considered a monetary impact

Thank you for helping keep Grammarly and our users safe!

Consequences of complying with this policy a.k.a. Safe Harbor

We will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistently with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

​

If legal action is initiated by a third party against you and you have complied with Grammarly’s bug bounty policy, Grammarly will take steps to make it known that your actions were conducted in compliance with this policy.

​

Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.