SEMrush Bug Bounty
Our vulnerability-reward payouts will go up to $3,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $50.
- Reflected XSS $100
- Stored XSS from $150 to $250
- SSRF from $300 to $1,000
- Security misconfiguration up to $500
- Broken authentication up to $1,000
- Injection and RCE up to $3,000
- Automated testing is not permitted.
- Follow HackerOne's Disclosure Guidelines.
- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.
- When duplicates occur, we award the first report that we can completely reproduce.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- We award bounties at time of validation, and will keep you posted as we work to resolve them.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.
- Any other issues related to software not under SEMrush's control
While researching, we'd like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of SEMrush staff or contractors
- Any physical attempts against SEMrush property or data centers
- CSRF - site wide and known issue
The following bugs are unlikely to be eligible for a bounty:
- Missing DNSSEC settings (we're working it)
- Issues found through automated testing
- "Scanner output" or scanner-generated reports
- Attacks requiring physical access to a user's device
- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages
- Brute Force attacks
- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues
- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections
- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)
- SSL/TLS best practices that do not contain a fully functional proof of concept
- Tab nabbing and window.opener-related issues
- Vulnerabilities affecting users of outdated browsers, plugins or platforms
- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
- Bugs that do not represent any security risk - these should be reported to firstname.lastname@example.org
- IDN homograph attacks
When you test requests to API or with API key - be careful - change api key to test auth issues not cookies.