Skip to main content

HackerOne Vulnerability Disclosure Program

At RevenueCat, we enjoy working with the security community to ensure our platform is secure and your data is kept private. In pursuit of these goals, we accept vulnerability reports from security researchers and hackers through the HackerOne program. We offer "bug bounties" ranging from $250 for small bugs to $5000 for the most critical vulnerabilities.

Why This Program Existsโ€‹

Whereas we maintain SOC2 compliance, take great care to fortify our infrastructure and services, and always prioritize the privacy of our customers and their users, we welcome the expertise of the security community writ large to ensure our security is flawless.

By collaborating through HackerOne, we can work quickly to identify and patch potential security vulnerabilities while offering security researchers financial compensation for their hard work.

How to Submit a Reportโ€‹

If you believe youโ€™ve found a security vulnerability in any of our services, send us an email at hackerone@revenuecat.com with your full report.

You will receive an email inviting you to submit the report:

Submit a vulnerability report

You will then be directed to HackerOne to confirm your report and submit it to our program.

Program Guidelinesโ€‹

Act in good faith.โ€‹

Our team carefully reviews each submission and verifies the severity and practical impact of the vulnerability. Repeated offenses of misleading reports will be marked as such, affecting your hacker reputation.

Provide detailed reports with reproducible steps.โ€‹

If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report.โ€‹

Unless you need to chain vulnerabilities to provide impact.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.โ€‹

We will mark such attempts in HackerOne, affecting your hacker reputation.

Respect the privacy of the programโ€‹

As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

We will acknowledge receipt of your report within a 5โ€“10 business days and work to deliver a bounty within 14 business days.

Thank you for helping to keep RevenueCat secure!