Welcome, Security Research Community!
23andMe recognizes the importance of working with skilled security researchers to identify and address vulnerabilities in our technology. We encourage responsible disclosure through our Bug Bounty Program and are excited to collaborate with you to enhance our security.
Scope
Testing is authorized only for targets explicitly listed as In-Scope. Any domain/property not listed is considered Out-of-Scope, including subdomains. If you discover a vulnerability outside the defined scope, contact [email protected] before submitting your findings. Failure to submit reports through our designated bug bounty route may result in a non-eligible report.
When Testing:
- Use your HackerOne email alias (
[email protected]).
- Include the following header in all requests:
- Automated tools: Limit requests to no more than 3 per second and avoid using vulnerability scanners.
Failure to follow these guidelines may result in disqualification from bounty rewards.
Program Rules
- Use your HackerOne email alias for account creation and testing.
- Add the X-HackerOne-Research header to all requests.
- Avoid using multiple IP addresses during testing.
- Refrain from public disclosure without 23andMe's written consent (even post-fix).
- Only test accounts you own or have explicit permission to interact with.
- Stop testing immediately if you encounter sensitive data and report it to us.
- Provide detailed, reproducible reports. Lack of detail may disqualify the submission.
- Submit one vulnerability per report unless chaining vulnerabilities to demonstrate impact.
- Social engineering (e.g., phishing) is prohibited.
- Avoid privacy violations, data destruction, or service disruption.
- Valid submissions must demonstrate a tangible security risk.
- Program terms may change at anytime. Participating means you agree to be bound by the new terms.
- For submissions involving Leaked Credentials:
* Do NOT attempt to validate.
* Attempting to sign in, change data, or test MFA with leaked credentials is forbidden.
* Submit evidence only.
* Attach the data dump.
* Add the exact link or source of the leak. (Required)
* No further testing—just share the data. For transparency, end‑user credentials alone are usually out of scope unless a program-responsible leak source can be identified.
Focus Areas
Submissions addressing the following vulnerabilities are highly valued:
- Sensitive Data Exposure
- Remote Code Execution (RCE)
- Authentication Bypass
- Broken Access Control
- SQL Injection (or equivalent)
- Server-Side Request Forgery (SSRF)
- Malicious File Uploads
- XML External Entities (XXE)
- Cross-Site Scripting (XSS)
- Exfiltration of AWS credentials
- Misconfigured cloud infrastructure leading to data leakage
Out-of-Scope Vulnerabilities
The following are not eligible for bounty rewards:
- CustomerCare Portal
- Vulnerabilities caused by past or present data breaches.
- Low-impact issues (e.g., missing headers, outdated libraries, clickjacking).
- Attacks requiring unlikely user interaction or physical access.
- DoS attacks or brute-force attacks.
- Rate limiting on non-authentication endpoints.
- Not all submissions involving third-party vendors will be eligible for a reward or considered in scope, but we can review them on a case-by-case basis.
* (e.g. Chatbot AI Agent powered by Ada, Zendesk, Braintree etc..).
* (e.g. Google Maps API keys)
Disclosure Policy
Follow HackerOne's disclosure guidelines. Unauthorized public disclosure may result in disqualification from the program.
Happy Hunting!
We appreciate your contributions and look forward to collaborating with you to keep 23andMe secure.
