Banner object (1)

Hack and Take the Cash !

805 bounties in database
  Back Link to program      
ConvertKit Vulnerability Disclosure Program logo
Hall of Fame

ConvertKit Vulnerability Disclosure Program

ConvertKit invites you to test and help secure our primary publicly facing assets - focusing on our web, and API application. We appreciate your efforts and hard work in making the internet (and ConvertKit) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.


In scope

Target name | Type
---|--- | API | Website | Website | Website

Out of scope

Target name | Type
---|--- | Website | Website | Website

Testing is only authorized on the targets listed as In-Scope. Any domain/property of ConvertKit not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting.

Target Documentation

There's quite a bit of information on how to exercise our application. Please check out our help documentation on general functionality, and our API docs for info on how to exercise our API.

  • NOTE: there is an undocumented endpoint at that we're interested in knowing if researchers are able to find vulnerabilities in/around. This isn't something that's explicitly found anywhere via our app, but we'd like researchers to be aware of it. Good luck and happy hunting!

Please note, the same underlying rails application resides on both, and, findings will be de-duplicated based on this information


All assets are publicly accessible.


Please sign up for an account using your email address. For more info regarding @bugcrowdninja email addresses, see here.

3rd Party Services

If you believe an issue with one of our third-party service providers is the result of ConvertKit’s misconfiguration or insecure usage of that service (or you've reported an issue affecting many customers of the service that you believe ConvertKit can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we'd appreciate your report regarding the issue.

Keep in mind that any reports regarding third-party services are likely to not be eligible for kudos points, but still appreciated.


  • Naturally, due to the type of business we run, you'll be able to create your own forms and such. Any findings having to do with something created by you, and not the underlying creation functionality won't be eligible for reward.
  • Please refrain from any Denial of Service, or rate-limit testing.
  • No port-scanning

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name




Out of Scope

Scope Type Scope Name



This program have been found on Bugcrowd on 2019-10-18.

FireBounty © 2015-2020

Legal notices