SendSafely Bug Bounty Program

Find good security bugs, get rewarded. It's that simple.

Our number one priority is to ensure the security of the SendSafely platform. Our Bug Bounty program is designed to reward researchers for discovering and reporting vulnerabilities that present a high risk to the overall security of our platform and our users. In order to be eligible for a reward, your vulnerability must meet the qualification requirements outlined below and you must follow our reporting and disclosure procedures.

Program Rules

The SendSafely program follows a set of well defined and industry standard disclosure terms and vulnerability rating taxonomies. To avoid confusion, SendSafely will rate all submissions using the Bugcrowd Vulnerability Rating Taxonomy.

Each submission will be evaluated by the SendSafely security team on the basis of first-to-find. You will qualify for a reward if you were the first person to alert us of a previously unknown issue and the issue triggers us to make a code or configuration change to our platform.

Our Bug Bounty program pays cash rewards issues with a Technical Severity of P1, P2 and P3. Issues rated P4 or lower may be submitted, but will not likely be eligible for a cash reward. Our standard payout policy is below.

SeverityCash Reward
The SendSafely bounty program requires explicit permission to disclose the results of a submission

We ask that you please abide by the following rules when participating in the SendSafely bug bounty program:

Testing Targets

All URLs hosted under are included within the scope of our bug bounty program. Please keep in mind that this is a production environment. When performing your testing, we ask that you:

Only pages and URLs hosted under are included within the scope of our bug bounty program. Systems within any other sub-domain of are out of scope, as are any all 3rd party systems (for example, but not limited to: Zendesk, Github, Stripe, Hubspot, etc). If you are unsure of exploitability, please contact us and one of our security engineers will work with you to verify it safely.

Please also note that the following findings are specifically excluded from the bounty:
To obtain a test account, sign up for a free SendSafely Pro Trial. Once you complete the registration process, you will have full access to all of the features included in our PRO plan for 14 days.
  • After the trial period, your account will still be valid but functionality will be limited
  • As part of the registration process you will receive and email and be asked to complete a profile. When completing the profile please use Last Name = SendSafelyBountyHunter to indicate you are a Bug Bounty tester.

Submitting a Bug Report

All submissions must be made using our Security Bug Reporting Form. You'll be expected to explain where the bug is, who it affects, how to reproduce it, the parameters it affects, and any PoC code. You can also upload any files that you may have that proves the vulnerability exists. You want to add as much information as you can to help reproduce the vulnerability. This not only helps the company quickly reproduce the issue but also helps moves your submission through the review process a lot faster.

The following information will be required for all valid bug submissions.

CaptionThe title of the report should describe the type of bug found, where it was found, and the overall impact. For example, “Remote File Inclusion in Resume Upload Form allows remote code execution” is much more descriptive and helpful than “RFI Injection found."
TargetThe Target field identifies the specific target affected by the bug you have found.
Bug TypeThe bug type identifies the kind of bug you have found. It is important that you choose the correct bug type so that the organization understands the risk the bug presents them.
Bug URLThe bug URL identifies the location in the application where you discovered the bug.
Proof of ConceptYour report must include clear and descriptive replication steps so that the organization can easily reproduce and validate that your findings.
Additional InfoThe section where you can provide context. You can explain what you discovered and describe the impact and risk of your discovery.
ScreenshotsIf possible, you should include illustrative evidence that shows proof of the vulnerability.

Submit a Bug Report

Questions? Send an email to