Canva

Canva is a tool that makes it possible to design anything and publish anywhere. Designing anything happens through web and mobile apps. Publishing anywhere includes online and physical publishing integrations. So there are plenty of areas for you to research.

People trust us with their personal content, business promotions, product info, media assets and more. While people can use Canva for free, they also pay us for access to premium media resources like image libraries, or for enterprise subscriptions that provide advanced tools, workflow management, and team management features.

We take the security of our systems seriously, and we value the security researcher community. Your responsible disclosure of security vulnerabilities by security researchers helps us ensure the security and privacy of our users.

Guidelines

We require that all researchers:

-Include a bug URL in the submission details otherwise the submission will not be accepted

Make a every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
Perform research only within the scope set out below
Use the identified communication channels to report vulnerability information to us
Use your @bugcrowdninja email address when testing

Thank you for participating, it is your work that will help to keep us secure.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission

In Scope

Scope Type	Scope Name
android_application	Canva (Android)
ios_application	Canva (iOS)
undefined	Canva (Chrome Extension)
undefined	Canva Developer Platform
web_application	*.canva.com
web_application	*.canva.cn
web_application	*.canva-apps.com
web_application	*.canva-apps.cn

Out of Scope

Scope Type	Scope Name
web_application	livecast.canva.cn

This program crawled on the 2020-09-16 is sorted as bounty.