If you believe you've found a security vulnerability in the Privy platform, please let us know. To report a security vulnerability securely, please email the report to
All valid reports will be investigated and receive a reply.
You can encrypt communications with the team using our PGP key. The key fingerprint is: 8099 E9C3 A8D2 5E6E 5751 198F EBD4 0FAD 1208 7DBA
While Privy does not participate in a formal bug bounty program, we award tokens of our appreciation for original, valid, responsibly disclosed security bugs.
Bounties are awarded at our discretion and paid out via PayPal.
Please note that Privy excludes certain classes vulnerability reports from this program, as our experience indicates they do not represent significant threats to our users or our platform.
- Information disclosure issues related to campaign assets, or discount codes.
- Theoretical attacks or missing security headers, without proof that they are exploitable.
- Brute force attacks (on passwords, tokens, coupon codes, etc).
- Attacks that require physical access to a user's device.
- Issues related to managing an account's email address.
- Clickjacking / iframe security issues.
This list is not exhaustive, and we may add to it from time to time. More about excluded reports.
We are pleased to recognize security researchers who have responsibly disclosed issues to our team.
- Daniel McLaughlin
- Ali Razzaq
- Dushyant Sahu
- Waqar Vicky
- Shubham Pathak
- Nitin Goplani
- Mohd Haji
- Sumit Sahoo