Reporting a vulnerability

Sourcegraph’s public bug bounty scheme is closed as of the 31st of March 2022. We are currently operating an invite-only HackerOne bug bounty program instead. If you have found a high or critical severity vulnerability in one of our products, please reach out to and we will assess whether the severity of the reported issue merits an invite to the program. Please note that a report to this email address is no longer considered a submission to the bounty scheme in itself.