Picsart is an all-in-one photo and video editing app for making the social content pop. With 130 million monthly creators, Picsart spans the globe. And that is why we take Security, Trust, and Transparency seriously.

Picsart looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Picsart will make a best effort to meet the following response targets for hackers participating in our program:

• Time to First Response: 2 business days
• Time to Triage: 2 business days
• Time to resolution: Up to 45 business days, depending on the severity and complexity.

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

If you have identified a potential security vulnerability in our technology, please submit us a detailed report with reproducible steps. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed and clear reports with reproducible steps.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
• Do not perform DoS or DDoS attacks.
• Do not run automated scans without checking with us first. They are often very noisy.

#Out of Scope Vulnerabilities When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Any URIs leaked because a malicious app has permission to view URIs opened
• Absence of certificate pinning
• Lack of obfuscation
• Lack of binary protection control in Android app
• Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Rewards

We do not offer a bug bounty at this time, but certain vulnerabilities with a working proof of concept on our Android mobile app may qualify for a bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Picsart and our users safe!