Details

SIMPLE RULES

Do not make any information public until the issue has been resolved.
Make a good faith effort to avoid interruption or degradation of our services .
Do not access or modify data that does not belong to you - create a free account to test with.
Making many substantially similar reports will only be eligible for one bounty award and marked as duplicate. For example, the same vulnerability reported across multiple subdomains. Please consolidate these issues into a single report.
Please try to limit the number of times you follow up on a report. Making daily comments only adds to our workload and makes turnaround time longer for everyone.
This bounty program is only concerned with security-related bugs, please e-mail [email protected] for all other bugs.
If your report is related to an advertiser on our site, please refer to https://help.imgur.com/hc/en-us/articles/205107685-Bad-Ads for further guidance.

SCOPE

We are interested in hearing about any security flaw. This could include, but is not limited to:

Anything that leaks personal user data, e.g. emails, passwords, content a user has set to private or deleted.
Accessing someone's account without their knowledge.
Bug exposing a way to perform an action on behalf of another user.
Changing a user's settings without their knowledge.
Changing values of any site wide data.
Programmatically deleting images that don't belong to you.
Cross-site scripting.

DOMAINS UNDER SCOPE

We are interested in your findings for the following domains:

imgur.com
api.imgur.com
i.imgur.com

Please disregard subdomains/domains such as:

blog.imgur.com
community.imgur.com
imgurads.com

REWARDS

For each resolved eligible vulnerability report, the first reporter will receive at Imgur’s discretion:

Recognition on our Hall of Fame.
Monetary compensation ranging from $50 to $5000, depending on severity and potential impact of the vulnerability.

EXCLUSIONS

The following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.

Public release of information before submission through Hackerone.
Bugs coming from third party softwares in use by imgur. e.g. store.imgur.com and help.imgur.com
Physical attacks against Imgur employees, offices, and data centers.
Any vulnerability obtained through the compromise of a Imgur customer or employee accounts. If you need to test a vulnerability, please create a free account.
Social engineering of Imgur employees, contractors, vendors, or service providers.
Self-XSS without a vector for a third party attack.
Knowingly posting, transmitting, uploading, linking to, or sending any malware.
Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.
Content injection vulnerabilities where the field injected always shows the result of a user's input.
Attacks requiring physical access to a user's device.
Tricking a user into manually performing a series of steps.

Please do not make reports for the following issues:

Password policy.
Brute force attacks on the /delete/ or /edit/ endpoints.
Username enumeration and other similar enumeration reports.
Sessions not being destroyed on password reset (a separate utility exists for this under the "security" tab)
Imgur has global rate limiting that might not be apparent with low testing volume. Please refrain from reporting issues that require no rate limit to be in place.
CSRF - we are aware of many parts of the site that are vulnerable to CSRF and are currently working on a site wide fix. After the fix goes out, we'll remove this exclusion.
Open redirects. We currently are not addressing this issue, but hope to in the future. We will mark these as "Informative".
OAuth misconfiguration and email signup merging can lead to issues - we are aware that there is a potential problem and are already working on a fix for all platforms.

SIMPLE RULES

Do not make any information public until the issue has been resolved.

Make a good faith effort to avoid interruption or degradation of our services .

Do not access or modify data that does not belong to you - create a free account to test with.

Making many substantially similar reports will only be eligible for one bounty award and marked as duplicate. For example, the same vulnerability reported across multiple subdomains. Please consolidate these issues into a single report.

Please try to limit the number of times you follow up on a report. Making daily comments only adds to our workload and makes turnaround time longer for everyone.

This bounty program is only concerned with security-related bugs, please e-mail [email protected] for all other bugs.

If your report is related to an advertiser on our site, please refer to https://help.imgur.com/hc/en-us/articles/205107685-Bad-Ads for further guidance.

SCOPE

We are interested in hearing about any security flaw. This could include, but is not limited to:

Anything that leaks personal user data, e.g. emails, passwords, content a user has set to private or deleted.

Accessing someone's account without their knowledge.

Bug exposing a way to perform an action on behalf of another user.

Changing a user's settings without their knowledge.

Changing values of any site wide data.

Programmatically deleting images that don't belong to you.

Cross-site scripting.

EXCLUSIONS

The following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.

Public release of information before submission through Hackerone.

Bugs coming from third party softwares in use by imgur. e.g. store.imgur.com and help.imgur.com

Physical attacks against Imgur employees, offices, and data centers.

Any vulnerability obtained through the compromise of a Imgur customer or employee accounts. If you need to test a vulnerability, please create a free account.

Social engineering of Imgur employees, contractors, vendors, or service providers.

Self-XSS without a vector for a third party attack.

Knowingly posting, transmitting, uploading, linking to, or sending any malware.

Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.

Content injection vulnerabilities where the field injected always shows the result of a user's input.

Attacks requiring physical access to a user's device.

Tricking a user into manually performing a series of steps.

Please do not make reports for the following issues:

Password policy.

Brute force attacks on the /delete/ or /edit/ endpoints.

Username enumeration and other similar enumeration reports.

Sessions not being destroyed on password reset (a separate utility exists for this under the "security" tab)

Imgur has global rate limiting that might not be apparent with low testing volume. Please refrain from reporting issues that require no rate limit to be in place.

CSRF - we are aware of many parts of the site that are vulnerable to CSRF and are currently working on a site wide fix. After the fix goes out, we'll remove this exclusion.

Open redirects. We currently are not addressing this issue, but hope to in the future. We will mark these as "Informative".

OAuth misconfiguration and email signup merging can lead to issues - we are aware that there is a potential problem and are already working on a fix for all platforms.