Whatnot
Bounty Range
$300 - $10,000
external program
Whatnot
Program guidelines
Open ScopeRewards reports for all owned assets based on impact, even if not listed in scope. [https://docs.hackerone.com/en/articles/8490833-security-page#h_46a5b35ded](
)
Fast PaymentEnsures payment within 1 month of receiving a vulnerability report. [https://docs.hackerone.com/en/articles/8490833-security-page#h_9c1fc6b7c0](
)
Gold Standard Safe HarborAdheres to Gold Standard Safe Harbor. [https://docs.hackerone.com/en/articles/8494525-gold-standard-safe-harbor-statement](
)
Platform StandardsFully compliant with Platform Standards. [https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_e01bc643a8](
)
Top Response EfficiencyThis program's response efficiency is above 90%. [https://docs.hackerone.com/en/articles/8490880-response-target-indicators](
)
Managed by HackerOneCollaboration EnabledIncludes Retesting
5 days, 21 hours Average time to bounty
5 days, 21 hours Average time from submission to bounty
Last updated on June 4, 2025. [/whatnot/bounty_table_versions](View changes
)
Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable.
LowAvg. bounty $30018.84% submissions
MediumAvg. bounty $1,00030.43% submissions
HighAvg. bounty $5,00031.88% submissions
CriticalAvg. bounty n/a18.84% submissions
LowAvg. bounty $30018.84% submissions
MediumAvg. bounty $1,00030.43% submissions
HighAvg. bounty $5,00031.88% submissions
CriticalAvg. bounty n/a18.84% submissions
$300
$1,000
$5,000
$10,000
Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more
)Category Exclusion details
Last updated on March 17, 2026. [/whatnot/policy_versions](View changes
)
Whatnot is a livestream shopping platform where people buy and sell in real time across categories like trading cards, sneakers, fashion, collectibles, and more. Sellers host live shows and auctions while buyers chat, bid, and purchase directly in the stream, turning shopping into an interactive community experience. Our mission is to enable anyone to turn their passion into a business and bring people together through commerce.
We invest heavily in securing our platform and the community that depends on it. Our security team continuously tests, monitors, and strengthens our systems as part of that commitment. This bug bounty program extends that work by partnering with the security research community to help us identify opportunities to raise the bar even further. We value responsible research and aim for transparent, timely collaboration.
Type of Response | SLA in business days | First Response | 5 days | Time to Triage | 7 days | Time to Bounty | 30 days | Time to Resolution | depends on severity and complexity |
We will do our best to keep you informed about our progress throughout the process. Please refrain from contacting Whatnot's team out of band and allow us to review your submissions according to the timelines above.
As a participant in this program, please do not discuss any vulnerabilities (even resolved ones) publicly without express written consent from Whatnot. Public disclosure of any vulnerability is prohibited until (a) Whatnot has confirmed remediation, or (b) 90 days have elapsed from initial report submission, whichever is later.
Follow HackerOne's [https://www.hackerone.com/disclosure-guidelines](disclosure guidelines).
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder. Do not access, modify, export, or retain personal data beyond what is strictly necessary to demonstrate the vulnerability. If you encounter sensitive user data (including PII, payment information, or private messages), stop testing that vector immediately, do not save or share the data, and report the issue promptly.
We are primarily interested in vulnerability reports affecting our core service: the livestream shopping platform available at https://www.whatnot.com and through our official mobile applications (this includes APIs used: (api.whatnot.com, live-service.whatnot.com, auction-service.whatnot.com)
When testing this service, please follow these rules:
You may test only with Whatnot account(s) that you own and control.
To be eligible for a bounty, you must create your account using your HackerOne email alias.
All researchers on HackerOne are assigned an email alias in the format mailto:[email protected], which automatically forwards to their registered email address.
If you need additional test accounts, you may use email aliasing by adding a plus sign (“+”) followed by any combination of words or numbers to your username. For example: mailto:[email protected]. This allows you to test different attack scenarios and account states without interacting with other users or creating multiple HackerOne accounts.
There are some exceptions. In cases such as unauthenticated requests, when the username itself is used as an injection point, or when testing alternative entry points (for example, email-based flows) where a /wearehackerone.com address cannot be used, please include the header: X-HackerOne-Research: [your H1 username]. If neither an email alias nor the header can be used, clearly and unambiguously reference HackerOne somewhere in your payload.
We also welcome reports concerning other Whatnot-owned assets where the findings provide meaningful value to the business. In most cases, this includes services operating under the *.whatnot.com domain.
Please note the following:
Some infrastructure within our domain relies on third-party services that we do not own or manage. We cannot authorize testing of these systems, and we are unable to remediate vulnerabilities identified within them. Issues affecting third-party infrastructure should be reported directly to the relevant provider through their vulnerability disclosure or bug bounty program. We maintain non-production environments, including those associated with terms such as “stage,” “test,” “qa,” “load,” and “dev.” These environments may not have the same security controls or hardening measures as production systems. As a result, we may decline vulnerability reports affecting non-production environments unless the issue demonstrates a clear and meaningful impact to the business. Findings that would be considered valid in production may not be accepted in non-production environments.
Please rate-limit any automated tooling to a maximum of 100 requests per second, per unique endpoint. Limit of 10,000 total requests per day.
For any testing using our livestream feature please follow the below rules.
Creation of livestreams for must be limited to 3 per month
Livestreams must include "Test Stream" in the title to avoid customer confusion
Livestreams must only be limited to the #other category
Livestreams must include a start time in the future as to not clutter production
Livestreams must be canceled & removed from the storefront after report submission as to not clutter production
Marketplace listings must be canceled & removed from the storefront after report submission as to not clutter production
If you cannot delete the livestream for some reason please reach out to mailto:[email protected] to get these deleted
Our rewards are primarily determined by the impact on our business. While severity generally aligns with CVSS (Common Vulnerability Scoring Standard) ratings, bounty amounts may be adjusted to reflect the real-world business impact of the finding.
Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9) | $10,000 | $5,000 | $1,000 | $300 |
Critical:
Account takeover without user interaction
PII exposure (e.g., email addresses, physical addresses) affects a significant number of users
Ability to generate or manipulate funds
High:
Account takeover requiring user interaction (e.g., XSS requiring a user to click a malicious link)
PII exposure under specific or limited conditions
Unauthorized modification of another seller’s inventory or livestream
Medium:
Low:
[https://help.whatnot.com/hc/en-us/articles/30400729663885-Team-Permissions](Team Permissions) - Role Escalation Vulnerabilities (This category may be added to scope in a future program update)
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS), destructive testing, or installation of backdoors or persistent access mechanisms.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or bruteforce issues on non-authentication endpoints
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Any user bug that is not a security vulnerability
Phishing attacks
Social engineering attacks
Flaws affecting out-of-date browsers and plugins
Whatnot supports the protection of security researchers engaged in Good Faith Security Research. ‘Good Faith Security Research’ means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
We consider Good Faith Security Research to be an authorized activity protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service or Acceptable Use Policy that conflicts with the standard for Good Faith Security Research outlined here.
This means that, for activity conducted while this program is active: (a) We will not bring legal action against you or report you for Good Faith Security Research, including for bypassing technological measures we use to protect the applications in scope; and (b) We will take steps to make known that you conducted Good Faith Security Research if a third party brings legal action against you.
You should contact us for clarification before engaging in conduct that you think may be inconsistent with Good Faith Security Research or unaddressed by this policy.
Safe harbor does not apply to activities involving: extortion or ransom demands; social engineering, phishing, or attacks targeting Whatnot employees or users; physical security attacks; use of insider access or stolen credentials; fraud, data theft, or sale of vulnerabilities to third parties; installation of backdoors or persistent access mechanisms; or any activity outside the stated intent to improve security. We reserve sole discretion to determine whether conduct qualifies as Good Faith Security Research.
We are not able to authorize security research on third-party infrastructure, and third parties are not bound by this safe harbor statement.
Thank you for being part of the work we're doing to keep Whatnot and our community safe.
[/whatnot/thanks](See all hackers
)
1
/bubby963?type=userReputation: 2k
2
/dexter0us?type=userReputation: 507
3
/inhibitor181?type=userReputation: 118
4
/shailesh4594?type=userReputation: 107
5
/bogdantc?type=userReputation: 102
6
/daniel?type=userReputation: 92
7
/goldenstone?type=userReputation: 76
8
/gbahl83?type=userReputation: 63
9
/mercen4ry?type=userReputation: 61
10
/sheckws3r?type=userReputation: 59
11
/davensec?type=userReputation: 59
12
/a_d_a_m?type=userReputation: 59
Whatnot
https://www.whatnot.comhttps://x.com/whatnot Buy, Sell & Go LiveBug Bounty Program launched in Mar 2026
Response efficiency: 100%
[/whatnot/reports/new?type=team&report_type=vulnerability](
Submit without Report Assistant
)
Severity
Rewards
Severity
Rewards
LowAvg. bounty $30018.84% submissions
$300
MediumAvg. bounty $1,00030.43% submissions
$1,000
HighAvg. bounty $5,00031.88% submissions
$5,000
CriticalAvg. bounty n/a18.84% submissions
$10,000
Total bounties paid | $301,312 | Average bounty range | $500 - $2,000 | Top bounty range | $5,000 - $15,000 | Bounties paid | 90 days | $7,800 | Reports received | 90 days | 488 | Last report resolved | 8 days ago | Hackers thanked | 104 | Assets In Scope | 7 |
© HackerOne