🛡️ Superhuman (formerly Grammarly) Bug Bounty Program

Welcome, Hackers 👋

We’ve merged the Grammarly and Coda programs into a single unified program — Superhuman (formerly Grammarly).
We’re excited to continue working with the security community to help keep our users, data, and systems secure.

🌍 Our Story

Superhuman builds powerful, collaborative tools that bring words, data, and teams together — from the next generation of document creation (formerly Coda) to AI-enhanced writing and productivity tools (formerly Grammarly).

Security and privacy remain at the core of everything we build. We look forward to collaborating with researchers worldwide to identify and resolve vulnerabilities responsibly.

🧭 Program Scope

In Scope

*.grammarly.com
*.coda.io
*.superhuman.com (excluding Superhuman Mail — see below)
Browser extensions for Chrome, Safari, Firefox, and Edge
Desktop applications for macOS and Windows
Mobile apps and keyboards for Android and iOS

💡 Note: Vulnerabilities in the Superhuman Mail product are out of scope. We are working on logistics to create a new program for this.

⏱️ Response Targets

Stage	Target Timeframe
Time to first response	2 business days
Time to triage	4 business days
Time to bounty (after triage)	7 business days

We’ll keep you updated throughout the process.

🧩 Rules for Researchers

Be an ethical hacker and follow HackerOne’s disclosure guidelines.
Respect privacy — only interact with test accounts that you own.
Do not test or exploit bugs on real customer accounts. Doing so may reduce bounty awards by up to 50%.
No DoS, spam, or abuse of customer support channels to gain attention.
Do not use leaked customer credentials.
We will pay bounties for working employee credential leaks when properly demonstrated.
If you encounter user data inadvertently, stop testing immediately, report it, and purge all local data.
Submit one vulnerability per report (unless chaining is needed for impact).
Only the first valid report of a vulnerability will be rewarded.
Multiple issues stemming from the same root cause may be combined into one bounty.
Social engineering (phishing, vishing, smishing, etc.) is strictly prohibited.
Do not contact us through customer support channels or email. Any attempts to establish out-of-band communication will result in the report being closed as N/A and report to HackerOne.

🧪 Test Accounts

Create your own test accounts to explore and validate findings.

For Coda testing:
- Create a free account at https://coda.io/welcome.
- Use a Google or email+password sign-up.
- Append hackeronetester to your email (e.g., [email protected]) if you’re not using a @wearehackerone.com domain.
- Do not create more than 5 test accounts.
- Use only the free plan — do not use fake payment data.
For Grammarly/Superhuman testing:
- Use @wearehackerone.com to sign up.
- Append hackeronetester to your email (e.g., [email protected]) if you’re not using a @wearehackerone.com domain.

~~Need a specific subscription level? Contact us, and we’ll provide access as needed.~~ We are currently not providing free upgrades for testing. We will update when we plan to resume; please do not create support tickets requesting a subscription or related questions about bug bounties.

🚫 Out of Scope

When reporting, please consider exploitability and impact. The following are out of scope or non-qualifying:

Technical Exclusions

Apparent SSRF of /api/oembedResolve (uses Iframely)
Clickjacking on non-sensitive pages
Unauthenticated / logout / login CSRF
MITM or physical access–dependent attacks
Known vulnerable libraries without working PoC
CSV injection without clear exploit
Missing SSL/TLS, DNS, CSP, or header “best practices”
Content spoofing or text injection without HTML/CSS modification
DoS or service disruption attempts
Overly large payloads in docs
“Best practice” or theoretical issues

Business Logic & Policy Exclusions

Credential reuse from public dumps
Username/account enumeration
Promo/invite code or referral abuse
Account sharing or subscription misuse
Institutional or educational access code issues
Email verification or password complexity complaints

💰 Rewards

We reward based on the impact and severity of the vulnerability.
Final bounty amounts are at the discretion of the Superhuman Security Team.

Bounty tiers for different products:

Grammarly - Upto $30k
Superhuman - Upto $13k (Excludes Superhuman Mail)
Coda - Upto $3k

Duplicate reports (including known internal issues) will not be rewarded.
Multiple vulnerabilities from a single root cause may be combined into one payout.

⚑ CTF Challenge
The first hacker who reports the $FLAG saved in document ID 1198436185 under user [email protected] (user_id 1411519194) in Grammarly (Classic doc only) will earn a $100,000 bounty.
If it’s in scope, the challenge remains active — no need to ask for confirmation.

Legal

🛡️ Safe Harbor

We comply with HackerOne’s Golden Safe Harbor Standard.
Activities conducted in accordance with this policy will be considered authorized and exempt from legal action.

Learn more → Safe Harbor FAQ

Ineligible Participants

Former employees and contractors of Superhuman are ineligible for bug-bounty payments for 6 months after their employment ends.

✉️ Questions or Access Requests

Need additional test environments or subscriptions?
Reach us directly via your HackerOne submission or contact [email protected].

Thank you for helping keep Superhuman, our users, and the broader community safe.
We deeply appreciate your skill, curiosity, and professionalism — together, we’re building something truly secure 🚀