Bug Bounty Program

Help us keep Glitch secure. Find vulnerabilities, report responsibly, get rewarded.

About the Program

Security is foundational to a self-hosted platform. When users trust Glitch with their home network, we take that responsibility seriously. Our bug bounty program rewards security researchers who help us identify and fix vulnerabilities before they can be exploited. We believe that transparent, community-driven security makes everyone safer.

This is a responsible disclosure program. We ask that you give us a reasonable window to investigate and patch any issue before public disclosure. In return, we commit to acknowledging your report promptly, keeping you informed throughout the fix process, and rewarding your work fairly based on the severity and impact of the finding.

Scope & Rewards

In Scope

The following components are eligible for bounty rewards:

Glitch Server (Node.js) WebRTC Signaling Authentication & Sessions REST API Endpoints Web Client WebSocket Handlers

Out of Scope

The following are not eligible for bounty rewards:

Upstream libretro cores Third-party dependencies (unless Glitch-specific) Social engineering attacks Denial-of-service (DDoS) Physical access attacks Issues in outdated versions

Reward Tiers

Severity Reward Examples
Critical $500 – $1,000 Remote code execution, authentication bypass, server takeover
High $200 – $500 Privilege escalation, arbitrary file read/write, save state manipulation
Medium $50 – $200 Cross-site scripting (XSS), CSRF, information disclosure
Low Hall of Fame + Swag Minor information leaks, verbose error messages, missing headers

Rewards are determined based on the vulnerability's real-world impact, exploitability, and the quality of your report. Exceptional reports with proof-of-concept code or detailed remediation suggestions may receive bonuses above the listed tiers.

How to Report

🔍

1. Find a Vulnerability

Test against the latest version of Glitch Server running locally. Use your own instance — never test against other people's servers or production infrastructure.

📧

2. Email Us

Send a detailed report to security@glitchonline.com. Include steps to reproduce, affected components, potential impact, and any proof-of-concept code or screenshots.

3. Give Us 90 Days

Allow up to 90 days for us to investigate, develop a fix, and release a patch. We'll acknowledge your report within 48 hours and provide regular updates on our progress.

🏆

4. Get Rewarded

Once the fix is released, you'll receive your bounty reward and be credited in our security advisory and Hall of Fame (unless you prefer to remain anonymous).

Frequently Asked Questions

You are authorized to test any Glitch Server instance that you own and operate. Do not test against servers belonging to other users, and do not attempt to access data that isn't yours. If you follow our responsible disclosure guidelines, we will not pursue legal action against good-faith security research.
Emulator cores are maintained by the upstream libretro community and are out of scope for our bounty program. However, if you find a vulnerability in how Glitch loads, sandboxes, or communicates with a core through FFI, that is absolutely in scope. The integration layer is ours and we want it to be bulletproof.
Bounties are paid via PayPal or bank transfer within 30 days of the fix being released. For researchers who prefer it, we also offer GitHub Sponsors payments or equivalent-value merchandise and hardware from the Glitch store.
We reward the first reporter of a unique vulnerability. If you submit a report for an issue we're already aware of or actively fixing, we'll let you know. Duplicate reports are not eligible for monetary rewards, but we appreciate every report and may still offer recognition or swag for high-quality duplicates.

Found Something?

Report a vulnerability and help make Glitch safer for everyone.

Report a Vulnerability