The Tumblr Bug Bounty Program was designed for those security-conscious users who help keep the Tumblr community safe from criminals and jerks. If you submit a bug that is within the scope of the program (as defined below), we will gladly reward you for your keen eye. Also, by submitting you agree that your submissions are subject in relevant part to Tumblr’s Application Developer and API License Agreement.
The security of Tumblr, and our users is always a top priority for us. We look forward to working with the security community and invite security researchers to report security vulnerabilities that are identified in our products.
Tumblr offers rewards for eligible reporters of qualifying vulnerabilities based on severity and completeness of the submission, as determined by the Tumblr security team. Awards are granted entirely at the discretion of Tumblr.
Rewards may range from Tumblr-branded swag to monetary rewards up to $5,000 USD. Tumblr will determine, fully in its discretion, if a reward will be rewarded and the amount of the reward. The more unique or severe the vulnerability, the higher we will pay. On the other hand, vulnerabilities that require significant or unusual user interaction will receive lower rewards.
Depending on the findings, some awards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue.
Eligibility and Responsible Disclosure
We are extremely happy to receive a report from everyone who submits one. However, to be eligible for a reward, you must meet the following requirements:
- You must be the first to report the issue to us.
- The issue must be a qualifying vulnerability (see below) and affect an in-scope application (see above).
- This program does not allow for public disclosure of the vulnerability without expressed permission. If you wish to disclose the report, we require that you ask us first.
Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program.
The following domains and apps are within the scope of the program:
- Tumblr for iOS
- Tumblr for Android
Common examples of vulnerabilities that qualify for a reward include, but are not limited to:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Authentication or authorization bypass
- Remote Code Execution
- Local or Remote File Inclusion If you’re unsure of whether or not your issue qualifies, imagine what the attack scenario would be like. For instance, can it negatively affect other Tumblr users?
Exclusions from eligibility
Though every report is reviewed, your submission may not qualify for a monetary reward. At minimum, any report that results in a change will be rewarded with swag.
We request that you refrain from accessing private information or performing actions that may negatively affect other Tumblr users. Additionally, DO NOT submit reports generated by automatic tools without verifying them first.
The following is a list of topics that are excluded from the Tumblr bug bounty program:
- Non-responsible disclosure
- Issues that we are already aware of or have been previously reported
- “Self” XSS
- Cross-Site Request Forgery with minimal security impact (e.g. “logout CSRF”)
- Account enumeration
- Denial of Service attacks
- SSL/TLS best practices
- Incomplete or missing SPF/DKIM
- General best practice concerns
- Attacks requiring physical access to a user’s device
- Social Engineering of Tumblr employees
- Physical access to Tumblr properties or data centers
- Reports of spam or copyright material
In connection with your participation in this program you agree to comply with all applicable local and national laws.
Tumblr reserves the right to change or modify the terms of this program at any time.
You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.
Vulnerabilities obtained by exploiting Tumblr users or employees are not eligible for a bounty and may result in immediate disqualification from the program.
Tumblr has never given permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of Tumblr users and publicize this information on the open, public-facing Internet without user consent, nor has Tumblr ever given permission for programs or data belonging to Tumblr to be modified or corrupted in order to extract and publicly disclose data belonging to Tumblr.
Tumblr employees and contingent workers, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any Tumblr programs, whether hosted by Tumblr or any third party.
We will make the final decision on bug eligibility and value. Don’t treat this program like a game or competition, let alone the foundation of a business plan. The program exists entirely at our discretion and may be canceled at any time. That said, thanks in advance for helping us out here.