Reporting Vulnerabilities to dev.to

Important Update: Changes to Our Bug Bounty Program

We regret to announce we will be suspending our bug bounty reward program effective immediately. Due to time constraints in managing this program ourselves, we are not in a position to keep the program in-house. We are exploring other options, but do not have a timeline for a re-launch.

While we are no longer able to offer monetary rewards at this time, we still highly value the security community's input and encourage you to continue reporting any vulnerabilities you may discover. Please send your findings to [email protected], and we will diligently investigate all reports. We remain committed to acknowledging significant contributions through our security hall of fame. We hope to launch a new reward program in the future. Your understanding and continued support in maintaining the security of our systems are deeply appreciated.

Security Guidelines and Etiquette

Please read and follow these guidelines prior to sending in any reports.

1. Do not test vulnerabilities in public. We ask that you do not attempt any vulnerabilities, rate-limiting tests, exploits, or any other security/bug-related findings if it will impact another community member. This means you should not leave comments on someone else’s post, send them messages via Connect, or otherwise, impact their experience on the platform.

Note that we are open source and have documentation available if you're interested in setting up a dev environment for the purposes of testing.

2. Do not report similar issues or variations of the same issue in different reports. Please report any similar issues in a single report. It's better for both parties to have this information in one place where we can evaluate it all together. Please note any and all areas where your vulnerability might be relevant. You will not be penalized or receive a lower reward for streamlining your report in one place vs. spreading it across different areas.

3. The following domains are not eligible for our bounty program as they are hosted by or built on external services:

jobs.dev.to (Recruitee)
status.dev.to (Atlassian)
shop.dev.to (Shopify)
docs.dev.to (Netlify)
storybook.dev.to (Netlify)

We've listed the service provider of each of these domains so that you might contact them if you wish to report the vulnerability you found.

4. DoS (Denial of Service) vulnerabilities should not be tested for more than a span of 5 minutes. Be courteous and reasonable when testing any endpoints on dev.to as this may interfere with our monitoring. If we discover that you are testing DoS disruptively for prolonged periods of time, we may restrict your award, block your IP address, or remove your eligibility to participate in the program.

5. Please be patient with us after sending in your report. We’d appreciate it if you avoid messaging us to ask about the status of your report. Our team will get back to you only if your contribution is significant enough to be included in our hall of fame.

Hall of Fame

Thanks to those who have helped us by finding, fixing, and disclosing security issues safely:

Aman Mahendra
Muhammad Muhaddis
Sajibe Kanti
Sahil Mehra
Prial Islam
Pritesh Mistry
Jerbi Nessim
Vis Patel
Mohammad Abdullah
Ismail Hossain
Antony Garand
Guilherme Scombatti
Ahsan Khan
Shintaro Kobori
Footstep Security
Chakradhar Chiru
Mustafa Khan
Benoit Côté-Jodoin
Rahul PS
Kaushik Roy
Kishan Kumar
Gids Goldberg
Zee Shan
Md. Nur A Alam Dipu
Yeasir Arafat
Shiv Bihari Pandey
Nicolas Verdier
Mathieu Paturel
Arif Khan
Sagar Yadav
Sameer Phad
Chirag Gupta
Akash Sebastian
Mustafa Diaa (c0braBaghdad1)
Vikas Srivastava, India
Md. Asif Hossain, Bangladesh
Ali Kamalizade
Omet Hasan
Sergey Kislyakov
Ajaysen R
Govind Palakkal
Kishore Krishna Pai
Panchal Rohan
Rahul Raju
Thijs Alkemade
Nanda Krishna
Narender Saini
Alan Jose
Sumit Oneness
Sagar Raja
Faizan Nehal Siddiqui
Michal Biesiada (mbiesiad)
Aleena Avarachan
Krypton (@kkrypt0nn)
Jefferson Gonzales (@gonzxph)
ALJI Mohamed (@sim4n6)