Security

Reporting Vulnerabilities

If you believe you've found a security vulnerability in the Privy platform, please let us know. To report a security vulnerability securely, please email the report to

vulnerability-reports@privy.com


All valid reports will be investigated and receive a reply.

You can encrypt communications with the team using our PGP key. The key fingerprint is: 8099 E9C3 A8D2 5E6E 5751  198F EBD4 0FAD 1208 7DBA

Security Bounties

While Privy does not participate in a formal bug bounty program, we award tokens of our appreciation for original, valid, responsibly disclosed security bugs.

Bounties are awarded and sent at our discretion and paid out via PayPal.

Bounty exclusions

Please note that Privy does not consider the following to be security vulnerabilities:

XSS/script execution:

  • XSS and self-XSS from custom html and javascript in the display designer, tracking and conversion pixels, and audience targeting.
  • These allow merchants to run arbitrary browser code by design.

Information disclosure:

  • Information disclosure issues related to campaign assets, or discount codes.
  • Privy makes no guarantee of privacy regarding merchant-provided assets (graphics, images, pdfs). Privy makes no guarantee that only intended recipients receive discount codes.