Medium’s Bug Bounty Disclosure Program

The software security research community makes the web a better, safer place. We support their bug-hunting efforts with a bounty program.

To report a vulnerability, please email us at

See others who have made responsible disclosures here.

Qualifying Vulnerabilities

The following domains and apps are within the scope of the program:

To be eligible, you must demonstrate a security compromise on any of these domains using a reproducible exploit, including the following:

These vulnerabilities do not qualify for the bounty program.

Rules for You

Rules for Us


Based on severity of the bug and completeness of the submission, which we will decide at our sole discretion, we offer the following rewards:

Legal things & final notes

We deal only with principals, not vulnerability brokers.

If you reside in a country on a United States restricted export control list, or are on a United States state or federal criminal wanted list or restricted export control list, you are not eligible to participate in this program.

We will make the final decision on bug eligibility and value. This program exists entirely at our discretion and may be modified or canceled at any time. Any changes we make to these programs terms do not apply retroactively. Thanks for helping us make Medium more secure.

Medium Policy

The Fine Print

Medium Security

Written by

Responsible disclosures to See for more details.

Medium Policy

The Fine Print