|Scope Type||Scope Name|
RealSelf is the leading and most trusted source for people considering an elective cosmetic treatment. More than ten years ago, we built RealSelf as the destination for people to learn about cosmetic procedures, share their experiences, and connect with top providers.
Today there are more cosmetic treatment options than ever before—from Botox to laser hair removal, microneedling to CoolSculpting. That’s why RealSelf provides unbiased information about cosmetic procedures and the doctors and clinicians who perform them. Every month, millions of RealSelf visitors research procedures and connect with highly qualified providers. RealSelf is a must-visit resource for people considering cosmetic treatments and providers seeking to connect with them. We help millions of people find the right treatment and provider for them.
RealSelf invites you to test and help secure our public-facing assets. We appreciate your efforts and hard work in making the internet (and RealSelf) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!
Our bug bounty program allows you to test the production edition of our site. This is risky business. To make sure your testing doesn't interfere with our users and cause the very problems we are trying to prevent, we ask:
_bugcto identify yourself as a bug bounty participant, for all the accounts you create on our site
@bugcrowdninja.comemail address for all accounts you create on our site (we support firstname.lastname@example.org email addresses to allow you to test with several accounts)
If we find you did not abide by these rules while testing our site, we will not award a bounty and may terminate your participation.
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Last updated 11 Oct 2018 20:35:53 UTC
Technical severity | Reward range
p1 Critical | $2,000 - $2,500
p2 Severe | $1,000 - $1,500
p3 Moderate | $500 - $750
p4 Low | $200 - $300
P5 submissions do not receive any rewards for this program.
Target name | Type
www.realself.com | Website
assets.realself.com | Website
auth.realself.com | API
charon.realself.com | API
ei.realself.com | Website
fi.realself.com | Website
i.realself.com | Website
kraken.realself.com | API
log.realself.com | Other
search-faf.realself.com | API
search.realself.com | API
wwa.realself.com | Website
style.realself.com | Other
RealSelf | iOS
realself.com | Website
wwf.realself.com | Website
Any domain not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
We are not interested in reports of the following issues:
Any service not directly hosted or controlled by RealSelf is also out of scope, some of which are listed below:
The language around safe harbor for this program can be found on the following
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.