SEMrush Bug Bounty

$55,000+ are received by researchers

Bug Bounty

No technology is perfect, and SEMrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Payouts

Our vulnerability-reward payouts will go up to $3,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $50.

Reflected XSS $100
Stored XSS from $150 to $250
SSRF from $300 to $1,000
Security misconfiguration up to $500
Broken authentication up to $1,000
Injection and RCE up to $3,000

Learn more

Program Rules

Automated testing is not permitted.
Follow HackerOne's Disclosure Guidelines.
Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.
When duplicates occur, we award the first report that we can completely reproduce.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
We award bounties at time of validation, and will keep you posted as we work to resolve them.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.

Web Application Firewall

Your requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.

Exclusions

advocates.semrushchina.cn
actonmail.semrushchina.cn
email.semrushchina.cn
berush.com
Any other issues related to software not under SEMrush's control

While researching, we'd like to ask you to refrain from:

Denial of service
Spamming
Social engineering (including phishing) of SEMrush staff or contractors
Any physical attempts against SEMrush property or data centers
CSRF - site wide and known issue

The following bugs are unlikely to be eligible for a bounty:

Missing DNSSEC settings (we're working it)
Issues found through automated testing
"Scanner output" or scanner-generated reports
Attacks requiring physical access to a user's device
Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages
Brute Force attacks
Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues
Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections
Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)
SSL/TLS best practices that do not contain a fully functional proof of concept
Tab nabbing and window.opener-related issues
Vulnerabilities affecting users of outdated browsers, plugins or platforms
Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
Bugs that do not represent any security risk - these should be reported to mail@semrush.com
IDN homograph attacks

API/API key related bugs

When you test requests to API or with API key - be careful - change api key to test auth issues not cookies.

Mail us Join us on HackerOne