Banner object (1)

Hack and Take the Cash !

822 bounties in database
  Back Link to program      
Smartsheet logo
Hall of Fame


50 $ 


Smartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Response Targets

Smartsheet will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 2 business days
  • Time to first Smartsheet response (from triage) - 5 business days

We’ll try to keep you informed about our progress throughout the process.


Our bounty table provides general guidelines, and all final decisions are at the discretion of Smartsheet.
Well written submissions and friendly hackers may be subject to additional rewards.

Bounty Reward Ranges

Priority | Critical Severity | Low Severity Targets
Critical | $1250 - $2500 | $600 - $1000
High | $750 - $1500 | $350 - $750
Medium | $200 - $850 | $150 - $500
Low | $50 - $250 | $50 - $200
Informational | $0 | $0

Targets and Test Plan

Only test accounts, unless otherwise specified.
More detailed access instructions and documentation can be found in the Structured Scope section of this brief. __
[ __](


Focus Areas

  • Account Takeover (do not test against customer accounts)
  • Privilege Escalation
  • Customer information disclosure and manipulation

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).
  • Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.


  • No DoS & DDoS testing
  • No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Automated scanners MUST BE single threaded / rate limited
  • Only test against Smartsheet accounts that belong to you
  • Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)

Out of Scope / Not applicable

  • Executables as attachments.
  • Attacks requiring MITM or physical access to a user's device
  • Best practices in SSL/TLS configuration
  • Clickjacking on pages with no sensitive actions
  • Unauthenticated/logout/login CSRF
  • CSRF on public (published and embedded) sheets
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Previously known vulnerable libraries without a working Proof of Concept
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Spam and Email Abuse

Accepted Business Risks

  • Enumeration or disclosure of users and groups within own organization

Disclosure Policy

  • Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.
  • We practice the mutual agreement __disclosure process.
  • Follow HackerOne's disclosure guidelines __.

Legal Stuff

As a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty- free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.

You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.

Do not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.

We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.

In Scope

Scope Type Scope Name





Sign into the application. __


Release Notes. __


Sign up for a non-expiring developer account using your email. __



Checkout platform features. __


API documentation found here. __


How to generate API token __

This programe feature scope type like web_application.

FireBounty © 2015-2020

Legal notices