Security

Reporting Vulnerabilities

If you believe you've found a security vulnerability in the Privy platform, please let us know. To report a security vulnerability securely, please email the report to

vulnerability-reports@privy.com


All valid reports will be investigated and receive a reply.

You can encrypt communications with the team using our PGP key. The key fingerprint is: 8099 E9C3 A8D2 5E6E 5751  198F EBD4 0FAD 1208 7DBA

Security Bounties

While Privy does not participate in a formal bug bounty program, we award tokens of our appreciation for original, valid, responsibly disclosed security bugs.

Bounties are awarded at our discretion and paid out via PayPal.

Bounty exclusions

Please note that Privy excludes certain classes vulnerability reports from this program, as our experience indicates they do not represent significant threats to our users or our platform.

  • XSS and self-XSS from custom HTML and Javascript in the display designer, tracking and conversion pixels, and audience targeting.
  • Information disclosure issues related to campaign assets, or discount codes.
  • Theoretical attacks or missing security headers, without proof that they are exploitable.
  • Brute force attacks (on passwords, tokens, coupon codes, etc).
  • Attacks that require physical access to a user's device.
  • Issues related to managing an account's email address.
  • Clickjacking / iframe security issues.

This list is not exhaustive, and we may add to it from time to time. More about excluded reports.

Acknowledgements

We are pleased to recognize security researchers who have responsibly disclosed issues to our team.

2018

  • Daniel McLaughlin
  • Ali Razzaq
  • Dushyant Sahu

2017

  • Waqar Vicky
  • Shubham Pathak
  • Nitin Goplani
  • Mohd Haji
  • Sumit Sahoo