Bumble & Badoo Vulnerability Disclosure Program

We reward security researchers for reporting impactful vulnerabilities affecting Bumble, Badoo, BFF (including Geneva), and related products.

Vulnerabilities are ranked based on real-world impact. Final severity and rewards are determined by the Bumble security team. We do not rely on rigid scoring systems—the more damage a vulnerability can realistically cause, the higher its severity.

We value high-quality, well-researched reports with clear proof of impact. Avoid duplicate submissions, copy-pasted reports, or reports without a working PoC. Respecting each other’s time helps us respond faster and reward impactful findings.

High-interest assets

Bumble mobile application (iOS & Android)
Bumble For Friends (BFF) mobile application (iOS & Android)
bumble.com (including mobile web)
www.bumble.com
bma.bumble.com

For the full scope, please refer to the assets list.

Note: Geneva Web is a limited interface. Most impactful findings are in the mobile applications. If you cant access the staging applications listed in the programme due capacity being reached, please submit an informational ticket to the program asking for access to the latest APK.

Geneva staging credentials (OTP 000000 for both):

Member: +1 880 999 0001
Owner: +1 880 999 0009

Out-of-scope / non-qualifying reports

Information disclosure & inference issues When reporting inferred information (e.g. “Has this specific user liked me?”), consider:

Scalability
- Can the technique be automated at scale?
- Does it rely on predictable identifiers?
- If it only works in isolated or manual cases, it is unlikely to qualify
Equivalent in-app behaviour
- Could the same information be obtained through intended app functionality (e.g. swiping and matching)?
- If yes, the report likely duplicates expected behaviour rather than exposing sensitive data

Reports that do not demonstrate scalable access to information not otherwise obtainable via normal app use are typically closed as Informative or Not Applicable

How severity is assessed (examples)

These examples hopefully clarify some of the thinking when assigning risk.

Severity	Example impact
Low	HTML injection or XSS that only affects page output with no meaningful user impact
Low	Cosmetic UI manipulation without data access or state change
Medium	SQL injection or logic flaw that alters application behaviour but does not expose user data
Medium	Limited unauthorised actions affecting a single account without escalation
High	Unauthorised access to sensitive user data
High	Modification of sensitive profile or account data
Critical	Account takeover
Critical	Scalable abuse impacting multiple users or systems

Personal data handling

Limit access to personal data strictly to what is necessary; All applicable data protection laws must be followed.

Use personal data only for investigation purposes
Securely delete any personal data after testing
Confirm deletion when submitting your report

Public disclosure

Public disclosure is generally not permitted; Exceptions may be granted on a case-by-case basis—please ask before publishing

Bumble

Bumble

Details

Bumble & Badoo Vulnerability Disclosure Program

Out-of-scope / non-qualifying reports

How severity is assessed (examples)

Personal data handling

Public disclosure

Bumble & Badoo Vulnerability Disclosure Program

Out-of-scope / non-qualifying reports

How severity is assessed (examples)

Personal data handling

Public disclosure