Reporting a vulnerability

We at Sourcegraph value the security community and believe that responsible disclosure of security vulnerabilities in our product and tools helps us ensure the security and privacy of our users.

If you think that you have found a security or privacy vulnerability, please email us at We will reply to reports within 5 US business days to acknowledge that we received them, and will strive to send you regular updates on our progress until the issue is resolved. You may request an update by replying to the existing email thread. We will read, but may not respond to low quality or spammy reports (e.g. those produced by automated tooling). We welcome reports from everyone, including security researchers, developers, and customers.

Bug bounty

We provide monetary rewards, from $50 to $10,000 USD, for security vulnerability reports. The actual reward amount is determined based on the number of customers impacted, the difficulty of exploiting the vulnerability, the severity of the consequences (e.g. service disruption, data leakage, reputational damage to Sourcegraph) of a successful exploit, and the quality of the security report.

When a monetary bounty is presented, eligible reports will be based on the severity, as determined by CVSS v3.1. We will send payment via ACH, International wire, or check.

Safe Harbor

Sourcegraph commits to not pursuing legal action against researchers for actions conducted according to our policies and within the declared scope.


The following products and deployments are within scope for our Bug Bounty program:

The following targets and actions are out-of-scope:

  • Sourcegraph domains not listed in the in-scope section
  • Social engineering against Sourcegraph users and employees
  • Denial of Service
  • Credential Stuffing
  • SPF/DMARC reports
  • Spamming


Attack OutcomeMaximum Payout
You read or write to another user’s code$10,000
You take over another user’s account$5,000
You gain access to the internal Sourcegraph cloud network$2,500
You gain access to another user’s configurations$2,000
You find a misconfiguration that can lead to an exploit$500


All timelines below reflect US business days.

Type of responseTime to response
First response5 days
Time to initial investigation and assessment10 days
Time to bounty determination20 days
Time to resolutiondepends on severity and complexity
Time to payment90 days from the original report, or after confirmation of fix, whichever is first


We may choose to not issue a reward if any of the following apply:

  1. You engage in disruptive behavior on itself (e.g. spamming our system with requests, fake accounts, denial of service). Sourcegraph is open source software, so you can install a copy yourself and test against that instead.
  2. You report an already reported bounty, or one already in our roadmap.
  3. You publicly disclose a vulnerability before we confirm that it is OK to do so. We want to give our customers time to upgrade to a patched version before public disclosure.
  4. You report a vulnerability on an archived project. If a project is archived, that means it’s unmaintained, and will not be updated.
  5. You spam us with duplicate and/or low quality vulnerability reports (e.g. copy/pasting generic issues from automatic scanning tools).
  6. You are a current or former teammate at Sourcegraph (e.g. employee, contractor, intern).
  7. You are friends or family with a current or former teammate at Sourcegraph.
  8. You are a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
  9. You are in violation of any national, state, or local law or regulation;
  10. You are less than 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.

Submission requirements

For all submissions, please include:

  1. A full description of the vulnerability being reported. This includes the exploitability and impact.
  2. An explanation of all steps required to reproduce the vulnerability. This may include any or all of the following:
    1. Exploit code
    2. Screenshots
    3. Videos
    4. Traffic logs
    5. Complete web and API requests and responses
    6. Email address, or IP address used during testing

How we respond to security vulnerability reports

When we receive a report of a security vulnerability, a member of our security team determines if a reported vulnerability should be investigated by an engineer.

How we disclose security vulnerabilities

This policy is currently under review and will be updated by 31/10/2021

For every confirmed vulnerability in Sourcegraph or its products, regardless of severity, the Security team will:

  • Create a security advisory describing the vulnerability, impact to users and remediation. We currently publish GitHub Security Advisories in our GitHub repositories.
  • Request a CVE ID for each vulnerability.
  • Update the CHANGELOG with a reference to the CVE and advisory.
  • Inform the security updates mailing list.
  • Coordinate upgrades with customers for HIGH/CRITICAL issues.

If you find any past Sourcegraph vulnerabilities that were not disclosed this way please let us know.