Bug Bounty Disclosure Program

How to submit a report?

To report a security issue, please email us at bugbounty@medium.com.

IMPORTANT: Defeating the paywall by clearing cookies, private browsing, or otherwise creating new user sessions is not considered a valid vulnerability. Such reports will be ignored. For more rules and a list of exclusions, please check out appropriate sections below.

See others who have made responsible disclosures here.

Qualifying Vulnerabilities

The following domains and apps are within the scope of the program:

  • *.medium.com
  • *.embed.ly
  • *.embedly.com
  • Medium for iOS
  • Medium for Android
  • Medium Custom Domains (excluding any subdomains or related domains that are not hosted by Medium).

To be eligible, you must demonstrate a security compromise on any of these domains using a reproducible exploit, including the following:

  • Cross-site scripting exploits
  • Cross-site request forgery exploits
  • Authentication or authorization flaws
  • Official Medium mobile apps or API flaws
  • Server-side code execution bugs
  • Injection flaws
  • Significant security misconfigurations
  • Recommendation and ranking systems

These Issues Do Not Qualify

Please note that even though some of these issues might be highly relevant in other contexts, in the context of Medium we had determined that they don’t pose as great of a risk. Also note that this list isn't meant to be all-encompassing and it's up to our sole discretion whether we consider a reported issue to be a valid vulnerability.

  1. Defeating the paywall by clearing cookies, private browsing, or otherwise creating new user sessions.
  2. Self-XSS.
  3. Login/logout CSRF.
  4. CSRF configuration issue without exploitable proof of concept. A CSRF proof of concept case that requires Burp or a networking proxy is not valid or sufficient.
  5. Missing security headers which do not lead directly to a vulnerability.
  6. Vulnerabilities in third party components in use at Medium, depending on severity and exploitability. For instance, we try to keep up to date with OpenSSL versions but not all security issues impact Medium’s configuration.
  7. Bugs that require unlikely user interaction or phishing. This includes issues commonly known as clickjacking or UI redress attack.
  8. Newly acquired companies are subject to a blackout period to allow us to review and get everything up to speed. Acquisitions coming out of the blackout period will be added to the scoping list once they are in-scope. Bugs reported sooner than that will typically not qualify for a reward.
  9. Rate Limit on emails sent during sign-up, sign-in, and change email confirmations.
  10. Previous email login links not invalidated in the event multiple login links are requested. All links expire in 15 minutes.
  11. Not signed out of Android native app when signing out of all other sessions from the web. We provide a read-only experience to the user, and prevent the ability to post, recommend, respond, highlight, and access to drafts, bookmarks, history and settings.
  12. Using an email spoofing tool to send an email spoofed as sent from a medium.com domain (ex. bugbounty@medium.com) sends an email but is marked as Spam, as opposed to the email not being sent at all.
  13. Logging-in to medium.com in several browsers/tabs, or logging-in and logging-out repeatedly, thereby creating a large number of user sessions.
  14. Using URLs with look-alike Unicode symbols in them also known as homograph attacks.
  15. Redux DevTools in production. We’re aware that it is possible to use Redux DevTools on Medium pages in production. We absolutely do not expose any private data through our Redux state and as such we do not see it as a risk. However, if you notice any data exposed that shouldn’t be there do not hesitate to reach out.

Rules for You

  • Don’t make the bug public before it has been fixed.
  • Don’t attempt to gain access to another user’s account or data. Use your own test accounts for cross-account testing.
  • Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
  • Only test for vulnerabilities on sites or apps you know are operated by Medium. Some sites hosted on subdomains of medium.com are operated by third parties and should not be tested.
  • Do not impact other users with your testing, this includes testing for vulnerabilities in accounts you do not own. We may suspend your Medium account and ban your IP address if you do so.
  • Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your Medium account and ban your IP address.
  • No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • The more thorough the proof-of-concept, the higher the chance a payout will be awarded.
  • When in doubt, email us.

Rules for Us

  • We will respond as quickly as possible to your submission.
  • We will keep you updated as we work to fix the bug you submitted.
  • We will not take legal action against you if you play by the rules and act in good faith.

Rewards

Based on severity of the bug and completeness of the submission, which we will decide at our sole discretion, we offer the following rewards:

  • Severity 1: $1500
    Examples: Remote code execution, unrestricted access to file systems or databases, bugs leaking or bypassing significant security controls.
  • Severity 2: $250
    Examples: Bugs allowing artificial manipulation of ranking and recommendation systems, bugs leading to significant leaks of private user data.
  • Severity 3: $100
    Examples: Code execution on the client, XSS, SSRF, open redirects.
  • Severity 4: Recognition on humans.txt
    Valid security vulnerabilities that don’t fall into the categories above or apply to auxiliary services and 3rd party dependencies.

Legal things & final notes

We deal only with principals, not vulnerability brokers.

If you reside in a country on a United States restricted export control list, or are on a United States state or federal criminal wanted list or restricted export control list, you are not eligible to participate in this program.

We will make the final decision on bug eligibility and value. This program exists entirely at our discretion and may be modified or canceled at any time. Any changes we make to these programs terms do not apply retroactively. Thanks for helping us make Medium more secure.

Was this article helpful?