No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
* Automated testing is not permitted.
* Follow HackerOne’s Disclosure Guidelines (https://hackerone.com/guidelines).
* Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.
* When duplicates occur, we award the first report that we can completely reproduce.
* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
* We award bounties at time of validation, and will keep you posted as we work to resolve them.
* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
* We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Internet Explorer starting with version 10.
Our vulnerability-reward payouts will go up to $3,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $50.
- Stored XSS from $150 to $250
- Reflected XSS $100
- Stored XSS with authenticated experience up to $1,000
- SSRF from $300 to $1,000
- Security misconfiguration up to $500
- Broken authentication up to $1,000
- Injection and RCE up to $3,000
Your requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.
Any other issues related to software not under SEMrush’s control
While researching, we'd like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of SEMrush staff or contractors
- Any physical attempts against SEMrush property or data centers
- CSRF - site wide and known issue
The following bugs are unlikely to be eligible for a bounty:
- Missing DNSSEC settings (we're working it)
- Issues found through automated testing
- "Scanner output" or scanner-generated reports
- Attacks requiring physical access to a user's device
- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages
- Brute Force attacks
- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues
- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections
- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)
- SSL/TLS best practices that do not contain a fully functional proof of concept
- Tab nabbing and window.opener-related issues
- Vulnerabilities affecting users of outdated browsers, plugins or platforms
- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
- Bugs that do not represent any security risk - these should be reported to firstname.lastname@example.org
- IDN homograph attacks
API/API key related bugs
When you test requests to API or with API key - be careful - change api key to test auth issues not cookies.
Thank you for helping keep SEMrush and our users safe!
Hall of Fame