Banner object (1)

5306 policies in database
  Back Link to program      
Gusto logo
Hall of Fame



Gusto’s mission is to create a world where work empowers a better life. By making the most complicated business tasks simple and personal, Gusto is reimagining payroll, benefits and HR for modern companies.

Security is one of the top priorities at Gusto. We put the same amount of care in protecting our customers' information as we would with our own information. For that end, we would like to invite you to our bug bounty program. We appreciate your efforts and hard work in making the internet (and Gusto) more secure and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


New Bonus

  • $1,250 additional bonus for the first two valid P1s submitted
  • $500 additional bonus for the first three valid P2s submitted

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward range

Last updated 18 May 2020 16:32:39 UTC

Technical severity | Reward range
p1 Critical | $3,000 - $5,000
p2 Severe | $1,500 - $2,000
p3 Moderate | $500 - $1,000

P4 are only eligible to receive kudos points. P5 submissions do not receive any rewards for this program.


In scope

Target name | Type
---|--- | Website Testing | Website Testing | Website Testing

Out of scope

Target name | Type
* | Website Testing
<> | Website Testing

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Gusto not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting.

Rules of Engagement

Actions which affect the integrity of availability of program targets are prohibited and strictly enforced. If you notice performance degradation on the target systems, you must immediately suspend all use of automated tools and notify Gusto immediately of the incident and provide details of the actions taken, when the performance degradation was believed to have started, and when your activity ceased.


  • No testing/submissions on *
  • No rate-limiting or DoS attack related submissions

Known Issues

  • Sensitive Data Exposure > Private API Keys
  • Server Security Misconfiguration > Misconfigured DNS, OAuth Misconfiguration

Focus Areas

  • Granular permissions in
  • Graphql

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name



Out of Scope

Scope Type Scope Name



This program crawled on the 2019-10-24 is sorted as bounty.

FireBounty © 2015-2020

Legal notices