Twilio
Bounty Range
$100 - $2,500
external program
Twilio
Program guidelines
Platform StandardsFully compliant with Platform Standards. [https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_e01bc643a8](
)
Top Response EfficiencyThis program's response efficiency is above 90%. [https://docs.hackerone.com/en/articles/8490880-response-target-indicators](
)
Managed by HackerOneCollaboration EnabledIncludes Retesting
7 hours Average time to first response
1 day, 9 hours Average time to triage
1 day, 9 hours Average time to bounty
2 days, 18 hours Average time from submission to bounty
7 months, 3 weeks Average time to resolution
Last updated on October 28, 2025. [/twilio/bounty_table_versions](View changes
)
Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable.
LowAvg. bounty $19018.78% submissions
MediumAvg. bounty $32870.32% submissions
HighAvg. bounty $4066.40% submissions
CriticalAvg. bounty $1,8004.50% submissions
LowAvg. bounty $19018.78% submissions
MediumAvg. bounty $32870.32% submissions
HighAvg. bounty $4066.40% submissions
CriticalAvg. bounty $1,8004.50% submissions
Twilio Primary Targets
$100–$200
$200–$700
$700–$2,500
$2,500–$8,000
Twilio Secondary Targets
$50–$100
$100–$200
$200–$500
$500–$1,000
SendGrid Targets
$100–$150
$150–$700
$700–$2,000
$2,000–$4,000
Authy/Verify Targets
$250–$500
$500–$2,000
$2,000–$4,000
$4,000–$8,000
Segment Targets
$100–$300
$300–$600
$600–$2,000
$2,000–$4,000
Other Targets
$100
$100–$150
$150–$200
$200–$300
Many of our Twilio APIs are available in our [https://www.twilio.com/docs/openapi/using-twilio-postman-collections](Postman collection). Please confirm that your target is within scope before testing. Do not publicly store any sensitive information.
api.twilio.com
Twilio APIs
tsock.us1.twilio.com
.sip..twilio.com
[https://www.twilio.com/blog/get-started-webrtc](Twilio WebRTC Client)
[https://www.twilio.com/console](Twilio Console)
Twilio CDNs (static*.twilio.com)
twilio.com/blog
help.twilio.com
sendgrid.com
app.sendgrid.com
signup.sendgrid.com
api.sendgrid.com
mc.sendgrid.com
smtp.sendgrid.net
[https://authy.com/download/](Authy Android App)
[https://authy.com/download/](Authy iOS app)
[https://www.twilio.com/docs/authy/api](Twilio Authy API)
Access & Testing (Segment) Limit your use of scanner tests based on our technology stack. Our application is primarily powered by Node.js, React, and GraphQL. To test Segment you'll need to create a variety of data sources/destinations. We would recommend using those that have a bug bounty program such as Intercom, Twilio, Facebook, or Google. Services like Heroku can be valuable for creating resources such as Postgres instances to test our warehouse's products.
Libraries (Segment) Segment provides libraries written in various languages to our customers https://segment.com/docs/connections/sources/. We invite you to review the source code of our Website, Mobile, and Server Libraries, all of which are hosted on Github. Qualifying submissions must have a demonstrable impact and realistic attack vector. Submissions that include a proposed fix will be easier for us to evaluate and reward.
app.segment.com
api.segment.io
[https://segment.com/docs/sources/](Source code of Website, Mobile, or Server Libraries (https://segment.com/docs/sources/))
Any host/web property verified to be owned by Twilio (domains/IP space/etc.) but not listed in the previous target groups and not listed as Out of Scope.
Twilio et.al. uses a number of third-party providers and services. We will do our best to communicate and update our excluded submissions and out of scope list from time to time. Please note that the out of scope list is not exclusive and Twilio may classify other submissions as excluded or out of scope at its sole discretion.
Twilio's [https://www.twilio.com/en-us/security/vulnerability-disclosure-program](Vulnerability Disclosure Program) is available for reports that do not qualify for our Bug Bounty Program.
Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more
)Category Exclusion details
Last updated on January 22, 2026. [/twilio/policy_versions](View changes
)
Ensuring the security and integrity of the Twilio platform is critical to the service we provide to our customers. We are committed to providing a secure product and appreciate help from the community in responsibly identifying ways for us to improve Twilio. We will make an effort to respond as fast as possible.
Any place we reference Twilio, also applies to M&As such as but not limited to Sendgrid, Segment, and Authy. We will specify further when we intend a specific Product Target group. Bounties are awarded differently per product (see Target Groups for more details on payouts).
Bug Bounty Program: Our Bug Bounty Program through HackerOne is for experienced security researchers to identify and report vulnerabilities in our applications and internet-facing assets to earn rewards. Eligible findings may qualify for monetary bounties based on severity and impact. By participating, you help us strengthen our security while receiving recognition and compensation for contributions.
Vulnerability Disclosure Program: We are committed to the security and integrity of the Twilio platform and appreciate help from our community to identify and report vulnerabilities. Our Vulnerability Disclosure Program is open to you—whether you're a customer, professional security researcher (who does not meet the Bug Bounty Program requirements), or someone who has discovered a potential issue. While this program doesn't offer monetary rewards, your contribution is invaluable to us. [https://www.twilio.com/en-us/security/vulnerability-disclosure-program](Submit a vulnerability disclosure).
SendGrid abuse: If you would like to report abuse of SendGrid's service, please see our [https://sendgrid.com/report-spam/](spam/phish reporting page).
For all other security based docs, requests, and more, please visit https://www.twilio.com/en-us/security and https://segment.com/security/ Trust Centers.
Twilio expects all security researchers to follow the [https://www.hackerone.com/policies/code-of-conduct](HackerOne Code of Conduct)
Please follow all account/credential/asset naming requirements in the Access and Account Requirements section.
If you think you have found a problem but cannot prove it without accessing Twilio's Internal Systems, please submit your finding and we'll be happy to work with you for validation.
DDoS/DoS attacks (Network Level, Application Volumetric) are prohibited. If you find a request that takes too long to answer, report it to HackerOne.
Spam or phishing attacks are considered abuse and out of scope.
All automated testing should be throttled to prevent lockout.
Interacting with real customers is forbidden. Only test against accounts you have created.
Do not exfiltrate customer or employee data under any circumstance. Please contact us immediately if you think this is possible, or you have done so inadvertently. We will work with you to assess the full impact of the vulnerability and award appropriately.
Please do not open support tickets with Twilio. If you have any technical issues or questions, [https://support.hackerone.com/support/login](work with us through HackerOne Support).
Do not use personal emails for testing.
For the initial prioritization/rating of findings, this program will use the [https://docs.hackerone.com/en/articles/8475343-severity](HackerOne Report Severity). However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact.
NOTE: If a submission has a significant impact, bounty may be increased at Twilio’s discretion.
Requirement | Description | Accounts | Register with your @wearehackerone.com [https://docs.hackerone.com/en/articles/8404308-hacker-email-alias](email address) | Assets including Segment workspaces | hackerone-- | POCs including npm packages | twilio-hackerone-poc- Note: They should be deleted once the submission is triaged. | Custom Request Header | X-Bug-Bounty: -twilio | Segment specific | Please see the Segment target section for more specific Segment related details. |
Please do not submit contact forms, create support tickets, send emails, etc. that will generate work for a human outside of the Twilio security team.
Twilio et.al. uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems.
Please contact HackerOne support if you discover anything critical that falls in this area. We may consider reports on a case-by-case basis.
Denial of service or Rate limiting issues, including Resource Exhaustion attacks
Authentication weaknesses related to:
"Session too long," password reset/change logout or other intended business functionality
Forgot password auto-login
Login or Forgot Password page brute force attacks and account lockout not enforced
Non-existent or weak captcha / captcha bypass
Subdomain takeovers related to:
Subdomain takeovers of TLD's used for demo or test purposes
Malicious links created as part of SendGrid's [https://www.twilio.com/docs/sendgrid/api-reference/link-branding](click and open tracking) such as *.sendgrid.net, click.sendgrid.com, and email.sendgrid.com
All Wordpress-related findings
OpenVBX related findings
Email validation not enforced. DMARC and SPF submissions unless on major domains
SSL/TLS Issues such as: BEAST, BREACH, SSL insecure cipher suites enabled
Vulnerabilities that are limited to older/unsupported browsers
Known vulnerabilities in libraries used by Twilio, usage of an outdated third party library (e.g. jQuery, Apache etc.) unless you can prove exploitability
CORS or crossdomain.xml issues on api.segment.io without proof-of-concept
Public repository or documentation vulnerabilities that fall under:
Note: These exclusions apply in addition to all of the above.
Dependency confusion attacks on public repositories. They may be considered on maintained, heavily used libraries
Vulnerabilities in archived public repositories
Vulnerabilities in public repos that have not had a commit in the last 2 years
S3 bucket takeover from docs or public repos, applies to all products
Broken link hijacking on old (documentation not maintained for 2+ years) or archived documentation
Hijacked Social media handles in the Twilio Blog that do not belong to Twilio will be treated as Informational findings
Please include the following information with your submission:
Description: Provide a detailed description of the vulnerability
Steps to Reproduce: Step-by-step information on how to reproduce
Proof of Concept: Screenshots or video
Impact: Business Impact - How does it affect Twilio?
Exploitability: How likely is this to be discovered and exploited?
Recommendations & References (Optional)
As mentioned under our Rules of Engagement: do not exfiltrate customer or employee data under any circumstance. Please contact us immediately if you think this is possible, or you have done so inadvertently. We will validate internally and work with you to assess the full impact of the vulnerability.
Leaked employee credentials and employee API keys will be rewarded appropriately.
Please note that researchers must comply with our rules of engagement, including rate limit tests and DoS tests. Twilio may ban accounts for suspicious behavior in accordance with our policies and processes . Please do not open up a support ticket with Twilio, but instead [https://support.hackerone.com/support/login](create a ticket with HackerOne Support) for assistance. Twilio may unban accounts but only at Twilio’s discretion.
Reports from a single researcher for similar bugs that involve one fix may be merged and receive a single reward. This will be done at the discretion of Twilio.
Unless specifically listed In Scope, all Twilio acquisitions are out of scope. When in doubt, please [https://support.hackerone.com/support/login](create a ticket with HackerOne Support) with any questions.
Twilio does not permit public disclosure at this point in time. Exceptions will be made when the Twilio Security team decides to publish a CVE for vulnerabilities identified in desktop apps, mobile apps and SDKs based on the severity of the identified issue. In case a CVE is published, we will reach out to the researcher for permission before mentioning them. The vulnerability will be mentioned https://www.twilio.com/changelog.
Twilio follows an internal process when a vulnerability is reported to us turns out to be an issue with a third party’s technology, devices, or process.
If we are aware that the third party has a security disclosure program, we will recommend the researcher submit their report directly to that Third Party. If not, at Twilio’s discretion, Twilio will use commercially reasonable efforts to report the discovered vulnerabilities to the affected third party directly.
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with Twilio's bug bounty policy, Twilio will take steps to make it known that your actions were conducted in compliance with this policy. In the event that you engage in conduct that is inconsistent with or unaddressed by this policy, you must submit a HackerOne report prior to engaging in such conduct. Your submission will allow us to evaluate such conduct.
Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.
[/twilio/thanks](See all hackers
)
1
/tushar6378?type=userReputation: 341
2
/japz?type=userReputation: 199
3
/lak_sh?type=userReputation: 110
4
/silentxploit?type=userReputation: 104
5
/d0xing?type=userReputation: 76
6
/muh404med?type=userReputation: 66
7
/kaiksi?type=userReputation: 64
8
/davensec?type=userReputation: 57
9
/stish834?type=userReputation: 57
10
/janisec?type=userReputation: 57
11
/mickeyjoe?type=userReputation: 57
12
/geekysherlock?type=userReputation: 57
Twilio
https://www.twilio.com/https://x.com/twilio Communications APIs with AI and data for SMS, Voice, Email | TwilioBug Bounty Program launched in Jan 2026
Response efficiency: 98%
[/twilio/reports/new?type=team&report_type=vulnerability](
Submit without Report Assistant
)
Severity
Rewards
Severity
Rewards
LowAvg. bounty $19018.78% submissions
$50–$500
MediumAvg. bounty $32870.32% submissions
$100–$2,000
HighAvg. bounty $4066.40% submissions
$150–$4,000
CriticalAvg. bounty $1,8004.50% submissions
$200–$8,000
Total bounties paid | $26,732 | Average bounty range | $200 - $300 | Top bounty range | $500 - $1,500 | Bounties paid | 90 days | $26,732 | Reports received | 90 days | 1245 | Last report resolved | a day ago | Reports resolved | 2931 | Hackers thanked | 106 | Assets In Scope | 24 |
© HackerOne