Trustpilot looks forward to working with the security community to find
security vulnerabilities in order to keep our business, customers and
reviewers safe. Trustpilot will make a reasonable effort to respond to
incoming reports within five (5) business days. Bounty classification will be
confirmed after validating a legitimate security issue and identifying a
feasible fix. We will do our best to keep you informed about our progress
throughout the process.
- Social engineering (such as phishing, vishing, smishing) is strictly prohibited.
- Follow HackerOne's disclosure guidelines
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the finding will not be eligible for a reward.
- Submit one vulnerability per report, unless you can chain the vulnerabilities and clearly demonstrate the chain.
- In the event of duplicate findings on the same vector, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by the same attack vector will be awarded one bounty.
- Amounts below mentioned under “Rewards” is the range we will pay per category. We aim to be fair and all final reward amounts are at Trustpilot’s sole discretion.
- We award bounties at time of fix, and aim to keep you posted as we work to resolve them.
- Provide reasonable amount of time for us to assess and/or resolve the reported finding.
- Disclosure to the public or a third-party requires prior written approval from Trustpilot.
- You are prohibited from taking any actions that will violate the privacy of our customers, users, or employees, destroy data, or interrupt or degrade our service. Only interact with accounts you own or with explicit permission of the account holder.
- Spamming other users with automated Trustpilot emails or notifications is strictly prohibited. (e.g. abusing the forgot password form on accounts not your own).
- Reports received prior to our bug bounty program launch are not eligible for resubmission, as we have already responded to these via direct communication.
- Please delete test data (where possible) once you are done testing.
Please check the listed assets, below.
Bugs in third party services should be reported directly to the them
respectively, unless the bug relates to our implementation of the service.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the bug. The following issues are
considered out of scope, thus please refrain from:
- Cookie security issues for non-session cookies
- Missing HTTP security headers
- Denial of service (DoS & DDoS attacks are strictly not permitted)
- Rate limiting issues
- Social engineering (including phishing) of Trustpilot staff or contractors
- Any physical attempts against Trustpilot property or datacenters
- Mass/bulk user profile creation.
- Interacting with other accounts without the consent of their owners. Test only with your own user profiles when researching bugs.
- window.opener (related issues)
- SSL/TLS related configuration issues
- Defence in-depth issues
- Logout CSRF
- Automated tool reports
- Presence of autocomplete on web forms
- Attacks only exploitable on older browsers
- Open redirects - unless they can be used for actively stealing tokens
- Reports stating software is out of date or vulnerable without a proof of concept
- Best practice concerns
- Disclosure of known public files or directories. (Eg. S3)
- Lack of Secure and HTTPOnly cookie flags.
- XSS against sidebar elements. (Unless type: critical ) [Revamping our html dependancies on the sidebar is being currently worked on]
- Privilege escalation by means of exposing hidden UI elements within *.b2b.trustpilot.com.
- Requesting account upgrades for deeper product testing.
- Claiming email provider using matching domain
Thank you for your time and for helping to keep Trustpilot and our users safe!
Hall of Fame