Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
Backblaze logo
Hall of Fame


In Scope

Scope Type Scope Name
ios_application com.backblaze.BzBackupBrowser
web_application *
web_application *


Security is a top priority at Backblaze. We believe that no technology is perfect and that working with skilled security researchers across the globe is crucial in identifying weaknesses in our technology. If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

If you have questions about the Backblaze service or are trying to get help with your own Backblaze account, please visit our support page __for assistance. Here are a few relevant resources that may come in handy while doing your research:

Service Scopes:

We have six main areas that we invite our hackers to test.

  • The Web Application (https://*, this includes any API's used on the site through ajax calls that are public or private)
  • Personal Backup Clients (Mac and Windows)
  • Restore Downloaders (Mac and Windows)
  • B2 API's (https://*
  • Mobile Applications (iOS and Android)
  • Git Repositories (b2-sdk-java & B2 Command Line Tool)

Coordinated disclosure rules

  • Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue.
  • Provide us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Make a good faith effort to not leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.
  • Please don't create more than a couple of accounts for testing.
  • Please do not attempt a Denial of Service (DoS) attack without our explicit permission and oversight.
  • Please do not submit anything that is explicitly deemed out of scope below.

Bounty eligibility

We are most interested in remote code execution vulnerabilities and leaks of personal information (authentication/authorization bypasses). We request that researchers focus on these critical areas. Backblaze reserves the right to decide if an issue meets the minimum severity threshold, and whether it is a duplicate of an earlier report.

To qualify for a reward under this program, you should:

  • Be the first to report a specific vulnerability.
  • Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.
  • Disclose the vulnerability report directly and exclusively to us. Public disclosure or disclosure to other third parties -- including vulnerability brokers -- before we addressed your report will forfeit the reward.

Scope exclusions

Because we are most interested in remote code execution vulnerabilities and leaks of personal information (authentication/authorization bypasses), not all issue types/techniques are included in the scope of our program at this time. Please be aware of the following scope exclusions before beginning your research and submitting any reports.

  • Denial of Service (DoS) attacks that just overwhelm resources (as apposed to crash systems)
  • Best practice concerns not accompanied by in scope exploits (e.g. missing HTTP headers, outdated software, etc.)
  • Generic email spoofing issues
  • Vulnerabilities in third parties using Backblaze

Thank you for helping keep Backblaze safe!

FireBounty © 2015-2019

Legal notices