Tumblr Bug Bounty Program

The Tumblr Bug Bounty Program was designed for those security-conscious users who help keep the Tumblr community safe from criminals and jerks. If you submit a bug that is within the scope of the program (as defined below), we will gladly reward you for your keen eye. Also, by submitting you agree that your submissions are subject in relevant part to Tumblr’s Application Developer and API License Agreement.

 

Eligibility and Responsible Disclosure

The following domains and apps are within the scope of the program:

  • www.tumblr.com
  • api.tumblr.com
  • safe.tumblr.com
  • secure.tumblr.com
  • assets.tumblr.com
  • embed.tumblr.com
  • Tumblr for iOS
  • Tumblr for Android

To be eligible, you must demonstrate a security compromise on any of these domains using a reproducible exploit, including the following:

  • Cross-site scripting exploits
  • Cross-site request forgery exploits
  • Authentication or authorization flaws
  • Official Tumblr mobile apps or API flaws
  • Server-side code execution bugs
  • Injection flaws
  • Significant security misconfigurations

(Eligibility determinations will be made at our sole discretion.)

The more thorough the proof-of-concept, the higher the chance a payout will be awarded. Our request for a thorough proof-of-concept simply means we prefer detailed write ups of what you found and how it might be exploited in a real world scenario. If you do manage to get remote code execution -- STOP, let us know, and we'll take it from there.

 

We ask that you follow principles of responsible disclosure and give the Tumblr security team a reasonable amount of time to respond to and correct the submitted bug before you make it public.

 

Rewards

Based on severity of the bug and completeness of the submission, which we will decide at our sole discretion, we offer three types of honoraria:

  • Minor: $200
  • Major: $400
  • Critical: $1000
 

Exclusions from eligibility

  • Not making a responsible disclosure, per above.
  • [yourblogname].tumblr.com can be the *source* of an exploit, but not the *target*. A post or theme which executes 'alert(document.cookie)' on your blog is not an eligible bug. The same is true for static.tumblr.com. However, a post that executes ‘alert(document.cookie)’ on the dashboard in the context of www.tumblr.com when it is *reblogged* is definitely eligible.
  • Bugs which require unlikely user interaction or phishing are not eligible. Typing XSS code into a post form is not a viable exploit; XSS code that executes when you open a reblog-post form is.
  • XSS code reflected from Customize Theme into theme preview is not eligible. The theme preview window is specifically isolated from tumblr.com.
  • Missing “best practices” HTTP headers, unless they can be demonstrated to lead to an exploit. Keep in mind, several Tumblr pages are designed to be frameable.
  • Vulnerabilities in third party components in use at Tumblr, depending on severity and exploitability. For instance, we try to keep up to date with OpenSSL versions but not all security issues impact Tumblr’s configuration.
  • Any individual residing in a country that is on a United States restricted export control list is not eligible to participate.
  • Any individual on a United States state or federal criminal wanted list or restricted export control list is not eligible to participate.
  • This program is limited to technical vulnerabilities in Tumblr web or mobile applications. Don't try to sneak into our offices or attempt to phish our employees!
  • Don't try to DoS us, leverage black hat SEO techniques, spam people, use obtained access for further exploits (including, but not limited to, destroying data, interrupting service, committing privacy violations) or do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate significant volumes of traffic.
  • Do not compromise other users' accounts to prove your exploit. All proofs of concept should be executed using accounts that you own.
  • We don't work with vulnerability brokers. The purpose of this program is to fix bugs, not benefit third parties.

 

Final notes

We will make the final decision on bug eligibility and value. Don’t treat this program like a game or competition, let alone the foundation of a business plan. The program exists entirely at our discretion and may be canceled at any time. That said, thanks in advance for helping us out here.


Submit a bug