Privately share details of the suspected vulnerability with Crowdin by sending an email to support@crowdin.com. Provide full details of the suspected vulnerability, so the Crowdin security team may validate and reproduce the issue.
On behalf of our thousands of users, we thank the named researchers for helping make Crowdin safer. View hall of fame
When submitting an issue, please provide a technical description that allows us to assess exploitability and impact of the issue.
Please review these terms before you test and/or report a vulnerability. Crowdin pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to this policy.
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Crowdin security team and associated development organizations will use reasonable efforts to:
Please note that by submitting us a vulnerability report, you grant us a perpetual, worldwide, royalty-free, irrevocable and non-exclusive license and right, to use, modify, and incorporate your submission or any parts thereof into our products, services, or test systems without any further obligations or notices to you.
We would be thankful for any further relevant technical information that you may have, especially if reproduction is tricky. If we cannot reproduce it, we cannot reward you. However, there is no need to describe the security impact of your finding - we understand security risks and we can figure that out. We only need technical details.
We maintain flexibility with our reward system; rewards are based on severity, impact, and report quality. For example, we can provide you with a coupon to get Crowdin Swag. Depending on what you discover, you may go onto the Crowdin Hall of Fame. If you would rather stay behind an alias (handle) or anonymous, we will of course respect that.
We do have specific things we are (and are not) looking for - so check What are we looking for.
If you report several issues that are duplicates in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward may be possible.
If someone else has already reported the finding earlier, we will let you know after the issue has been fixed. If several researchers report the same issue, we only reward the sender of the first report that provides us with enough technical details to reproduce the finding. We know that this would give us a loophole to claim that everything’s been already previously found, but trust us, we want to be fair.
A reward will not be provided if the finding becomes known by anyone else than you or us, in any way, before it is fixed.
You can always keep tracking of how your issue is progressing. Contact Crowdin Security team for this: support@crowdin.com