Stripchat
Bounty Range
$200 - $3,000
external program
Stripchat
Program guidelines
Platform StandardsFully compliant with Platform Standards. [https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_e01bc643a8](
)
Top Response EfficiencyThis program's response efficiency is above 90%. [https://docs.hackerone.com/en/articles/8490880-response-target-indicators](
)
Collaboration EnabledIncludes Retesting
9 hours Average time to first response
22 hours Average time to triage
5 days, 2 hours Average time to bounty
6 days Average time from submission to bounty
6 days, 8 hours Average time to resolution
Last updated on October 21, 2025. [/stripchat/bounty_table_versions](View changes
)
Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable.
LowAvg. bounty $20044.90% submissions
MediumAvg. bounty $50036.73% submissions
HighAvg. bounty n/a14.29% submissions
CriticalAvg. bounty n/a4.08% submissions
LowAvg. bounty $20044.90% submissions
MediumAvg. bounty $50036.73% submissions
HighAvg. bounty n/a14.29% submissions
CriticalAvg. bounty n/a4.08% submissions
$200
$500
$1,250
$3,000
Our rewards are primarily based on severity as determined by the Common Vulnerability Scoring System (CVSS). However, since CVSS does not always fully reflect the real-world impact of a vulnerability on our platform, we also take into account the actual business and security impact specific to Stripchat’s environment when determining bounty amounts.
Rewards are therefore determined using both the CVSS score and contextual impact on Stripchat’s infrastructure, data, and users. This allows us to provide fair and consistent compensation that accurately reflects the value of each finding.
Stripchat may, at its sole discretion, adjust the reward amount or determine whether a reported vulnerability meets the minimum threshold for a bounty in accordance with this policy.
Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more
)Category Exclusion details
Last updated on November 5, 2025. [/stripchat/policy_versions](View changes
)
At Stripchat, we take the security and privacy of our platform very seriously. We highly value collaboration with skilled security researchers who help us improve the protection of our users, data, and services.
You (herein referred to as the “Finder”) are invited to identify and responsibly report potential security vulnerabilities, as defined by HackerOne’s Vulnerability Disclosure Guidelines
By participating in this program, you agree to act in good faith, avoid service disruption, and comply with all terms outlined in this Program Policy and on the HackerOne platform. Public disclosure of any vulnerability details without Stripchat’s prior written approval is strictly prohibited.
The Scope of this Program is limited to vulnerabilities found within the assets explicitly listed in the Scope section on HackerOne. Only vulnerabilities affecting assets within that list will be considered for review and potential reward.
Vulnerabilities discovered on any other domains, applications, or third-party services not owned or operated by Stripchat are considered out of scope and not eligible for rewards.
Please ensure that you confirm target eligibility before reporting.
All communication regarding vulnerability reports must occur exclusively through the HackerOne platform. Contacting Stripchat’s customer support, staff, or contractors directly- including through chat, email, or social media regarding the status of a report will result in immediate disqualification from receiving a reward and may lead to permanent removal from the program.
If you have used AI in the creation of the vulnerability report, you must disclose this fact in the report and you should do so clearly. We will of course doubt all "facts" and claims in reports where an AI has been involved. You should check and double-check all facts and claims any AI told you before you pass on such reports to us. You are normally much better off avoiding AI.
Reports must be detailed and include clear, reproducible steps. If the issue cannot be reproduced based on the provided information, it will not be eligible for a reward.
Submit one vulnerability per report, unless multiple vulnerabilities must be chained to demonstrate a single exploitable impact.
In the case of duplicates, only the first valid and reproducible report received will be eligible for a reward.
Multiple vulnerabilities caused by the same underlying issue will be rewarded as a single bounty.
Tests that degrade, disrupt, or interfere with Stripchat’s services in any way are strictly prohibited.
You are not allowed to access, exfiltrate, modify, or destroy any real user data. This includes, but is not limited to, user information, metadata, preferences, and other proprietary configurations (“User Data” and/or “Proprietary Data”).
Testing is only permitted on accounts that you have created yourself or for which you have explicit permission from the account holder.
Automated tools or scripted testing are permitted only under a strict rate limit of 100 requests per second (100 rps). Automated testing must be avoided during maintenance periods or when site-wide technical issues occur.
Physical attacks against Stripchat offices or data centers are strictly prohibited.
Social engineering of Stripchat’s employees, contractors, or support staff is strictly prohibited.
Compromising, taking over, or attempting to gain access to another user’s or employee’s account is strictly prohibited.
The Stripchat Bug Bounty Program, including its policies, may be modified, suspended, or terminated at any time without prior notice.
By continuing to participate in the program after changes have been posted, you agree to the modified Program Rules and associated policies.
To qualify for a reward under the Stripchat Bug Bounty Program, you must be the first Finder to identify and responsibly report an unknown vulnerability in accordance with this Policy.
Publishing, discussing, or otherwise sharing details of a vulnerability report, internal communication, or any confidential information about the program without authorization will result in immediate removal from the program and loss of “Safe Harbor” protection.
You must be the first person to report the vulnerability.
The reported vulnerability must demonstrate a clear security impact to a Stripchat asset as defined in the Scope.
Rewards are granted at Stripchat’s sole discretion and are not legally guaranteed.
Vulnerabilities must be reported within 24 hours of discovery.
Each valid report must include:
A clear description of the issue and steps to reproduce it (Proof of Concept or PoC).
The affected URL(s) and parameters.
Browser, operating system, and/or app version details.
An explanation of the potential impact (e.g., “How could this vulnerability be exploited?”).
Screenshots, logs, or PoC attachments are highly recommended to support the report.
Reports that include only a video PoC without written reproduction steps will not be accepted.
Stripchat will reward only the first validated and reproducible report that leads to a fix. If multiple reports describe the same root cause or are resolved by the same mitigation, they will be considered duplicates, regardless of the attack vector.
Stripchat will make reasonable efforts to inform the Finder if a report is determined to be a duplicate. If your report is closed as a duplicate, you will not be invited to the original report to preserve program confidentiality.
Do not discuss this program or any vulnerabilities (even if resolved) outside the HackerOne platform without explicit written consent from Stripchat.
Even informative or duplicate reports are not eligible for public disclosure under any circumstances.
You must follow [https://www.hackerone.com/disclosure-guidelines](HackerOne’s Disclosure Guidelines).
Unauthorized public disclosure of any vulnerability, report, or related communication, including posting technical details, screenshots, or proof-of-concept code will result in permanent removal from the program and immediate loss of Safe Harbor protection.
Stripchat will make the best effort to adhere to the following response targets:
Type of Response | Business days | First Response | up to 2 days | Time to Triage | up to 10 days | Time to Bounty | up to 14 days | Time to Resolution | depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
Testing may be performed by both unauthorized (guest) users and authorized users (regular users or models).
All testing must be conducted using accounts that you have created yourself, in accordance with Stripchat’s Terms of Service and platform rules.
Every HTTP request sent during testing must include the following header:
HackerOne: <your_handle>
This helps us identify legitimate testing traffic and prevents automated defenses from being triggered.
Bugs with no realistic security impact or that do not lead to unauthorized access, data exposure, privilege escalation, or other meaningful risk.
Broken links, typos, content/UX issues, SEO or accessibility problems, and general product/feature feedback. Please report these to support.
Reports of spam, unsolicited messages, or content moderation issues, unless they demonstrate a security control bypass or enable mass abuse.
Content spoofing, minor text injection, or UI formatting issues that do not lead to XSS, credential theft, privilege escalation, or another demonstrable security impact.
Missing security best practices by themselves (e.g., weak or outdated SSL/TLS configuration, missing HSTS header, missing CAA records, incomplete Content Security Policy) unless they can be chained to a clear, reproducible exploit.
Missing “HttpOnly” or “Secure” cookie flags, missing or incomplete email records (SPF/DKIM/DMARC), and other similar configuration items unless a practical exploit is demonstrated.
Software version disclosure, banner information, descriptive error messages, stack traces, or other informational disclosures that are not accompanied by a working exploit.
Issues that only affect outdated or unpatched browsers, obsolete platforms, or unsupportable client configurations.
Self-XSS, reflected XSS with no impact, or XSS that cannot be exploited in the context of Stripchat (no sensitive action, no users targeted).
CSRF on forms that perform no sensitive action and have no realistic exploitation scenario.
Clickjacking on static pages with no clear impact.
Tabnabbing and other UI tricks with no demonstrated security impact.
Open redirects that cannot be turned into a phishing/abuse scenario or chained to a significant security impact.
Password policy guidance, account recovery policies, or other authentication best-practice suggestions without a demonstrated security exploit.
Rate limiting or brute force issues on non-authenticated endpoints (unless a clear end-to-end exploit is shown).
Session timeout or other purely operational session management details without accompanying exploitability.
Reports that result in denial of service (DoS) to Stripchat servers at network or application layers are out of scope.
DoS testing against production is prohibited.
If you can demonstrate a novel vector that does not rely on heavy load but produces a reliable availability impact, contact us first via HackerOne to discuss- such cases are reviewed on a case-by-case basis.
Server errors (5XX) or other errors that occur only because of the attacker’s crafted request are out of scope unless they can be demonstrated to enable information disclosure, privilege escalation, or other direct security impact.
Physical attacks against offices or data centers, attempts to gain physical access to user devices, and MITM attacks requiring physical access are out of scope.
Social engineering of Stripchat employees, contractors, or support staff is strictly prohibited and out of scope.
Issues limited to confirmation email content, formatting, or delivery, unless they enable account takeover, session hijacking, or disclosure of sensitive information.
Vulnerabilities in third-party software, services, or protocols that are not controlled by Stripchat are out of scope unless a direct, reproducible impact on Stripchat’s systems or users is demonstrated.
Tests against cloud provider infrastructure, third-party payment processors, analytics platforms, or other external services should be reported to the respective vendor unless there is a clear and exploitable effect on Stripchat.
Previously patched public zero-day vulnerabilities with an official vendor patch released less than 30 days ago will be considered case-by-case.
Reports that reproduce a vulnerability that has already been reported, fixed, or otherwise mitigated are considered duplicates and are not eligible for any reward, even if discovered independently after the fix was applied.
However, if a previously fixed vulnerability reappears due to code regression or the mitigation is bypassed through a new method, such reports may be considered new valid findings and rewarded at Stripchat’s discretion.
Reports based solely on automated scan output without manual verification or a working Proof of Concept (PoC) are considered low quality and are out of scope for rewards.
Leaks of data cached in search engines or public web archives.
Issues that require unrealistic or unlikely user interaction to exploit.
Accessing content that is already publicly accessible via a known URL (e.g., restricted content reachable only by guessing a published URL) unless exploitation demonstrates a security control bypass.
Misconfigured CORS policies or weak CORS findings, unless they can be exploited to exfiltrate data, steal sessions or credentials, or otherwise impact user security.
Tests performed against environments or services for which no Vulnerability Disclosure Policy exists (e.g., some cloud providers) — confirm scope before testing.
All security testing activities conducted in good faith and in accordance with this Policy are considered authorized under Stripchat’s Bug Bounty Program.
Stripchat will not initiate legal action against you for research performed within these guidelines.
If a third party initiates legal proceedings in connection with your authorized research, Stripchat will take reasonable steps to make it known that your actions were conducted in compliance with this Safe Harbor policy.
Please note that Safe Harbor applies only when testing is performed responsibly and within scope.
Activities that intentionally violate this Policy- such as accessing, modifying, or destroying data without permission, testing out-of-scope systems, or disclosing vulnerabilities publicly without authorization- will result in immediate loss of Safe Harbor protection and potential removal from the program.
All rewards are issued exclusively through the HackerOne platform in accordance with its payment policies.
You can review HackerOne’s payout documentation in the HackerOne Platform Documentation Portal
Participation in this program is governed by this Program Policy as well as the following HackerOne agreements:
Finder Terms and Conditions, General Terms and Conditions, Code of Conduct for Finders, and Vulnerability Disclosure Guidelines (collectively referred to as the “Agreements”).
Any terms used but not defined herein shall have the meanings set forth in those Agreements.
Current and former employees of Stripchat, its affiliates, subsidiaries, agencies, partners, and their respective employees, as well as immediate family members, may report vulnerabilities responsibly but are not eligible for monetary rewards.
For the purposes of this Policy, Immediate Family includes spouses, partners, siblings, parents, children, grandparents, grandchildren, in-laws, adopted relatives, and any individuals residing in the same household, whether related or not.
All participants must comply with applicable local and international laws and regulations related to vulnerability research and disclosure.
On behalf of the entire security and engineering team- thank you for helping keep Stripchat safe.
[/stripchat/thanks](See all hackers
)
1
/datph4m?type=userReputation: 284
2
/alp?type=userReputation: 179
3
/sensiblesentimentos?type=userReputation: 164
4
/grumpinout?type=userReputation: 147
5
/kratoslegacy?type=userReputation: 123
6
/mr_anksec?type=userReputation: 121
7
/r0nz?type=userReputation: 101
8
/sharp488?type=userReputation: 100
9
/nismo?type=userReputation: 98
10
/riyane?type=userReputation: 86
11
/geej?type=userReputation: 68
12
/pomme?type=userReputation: 57
Stripchat
https://stripchat.com Stripchat is an international adult website and social network featuring free live-streamed webcam performances, often including nudity and sexual actBug Bounty Program launched in Oct 2025
Response efficiency: 99%
[/stripchat/reports/new?type=team&report_type=vulnerability](
Submit without Report Assistant
)
Severity
Rewards
Severity
Rewards
LowAvg. bounty $20044.90% submissions
$200
MediumAvg. bounty $50036.73% submissions
$500
HighAvg. bounty n/a14.29% submissions
$1,250
CriticalAvg. bounty n/a4.08% submissions
$3,000
Total bounties paid | $26,620 | Average bounty | $200 | Top bounty range | $800 - $2,500 | Bounties paid | 90 days | $1,800 | Reports received | 90 days | 344 | Last report resolved | a month ago | Reports resolved | 50 | Hackers thanked | 51 | Assets In Scope | 2 |
© HackerOne