Evolving Our Trusted Bounty Program: Twilio Adds Safe Harbor to Bug Bounty

October 16, 2018
Written by


Founded by engineers, Twilio has always sought to cultivate a diverse internal engineering culture while enabling a strong external community. Since its founding 10 years ago, Twilio has provided scalable services and empowered over 2 million developers to build great things on our platform.

Twilio is dedicated to providing our customers with a trusted platform where their data is protected. While we have a skilled security team working hard to accomplish this goal, we have seen the positive effects of crowdsourcing proactive help from external security researchers, spurred on by our bug bounty program, to improve our systems of protection.

Hackers act as “the Internet’s immune system” when they find vulnerabilities and responsibly disclose them to the correct parties before they are maliciously exploited by those with ill intentions. When responsible and seasoned hackers find these issues, all users of the platform benefit. Twilio launched its bounty program in April 2014 and began to reward skilled researchers when they discovered vulnerabilities in our systems. We are proud to say the program has been effective and our infrastructure is more secure as a result, with over 250 vulnerabilities disclosed and rewarded.

Our program relies on the good-will and well-being of white-hat hackers. In the past, some well-intentioned researchers participating in various other programs have found themselves threatened with legal action and even prosecuted criminally after responsibly disclosing significant vulnerabilities in systems. Such actions have had a harrowing and discouraging effect on the hacker community. Fear and uncertainty have inhibited top quality research. As a result, many companies have made commitments to put those fears to rest by agreeing not to prosecute researchers.

Today, Twilio is announcing the adoption of a safe harbor clause in our program’s terms of service to further enable researchers! All those engaging in our bug bounty, acting in good faith, and abiding by the explicit rules, can do so with the ease of mind that Twilio will not bring legal action against them, ever.

We have been inspired by the countless individuals who have publicly voiced their opinions to advance this cause. We appreciate the work of the #legalbugbounty project in promoting this idea and calling everyone to action and we are proud to announce our adoption of a safe harbor clause in line with the project’s goals.

Every day, more and more data is compromised and the responsibility to secure it continues to grow in importance. The task benefits substantially from the involvement of a motivated community with diverse expertise. Twilio believes in the power of these ethical hackers to improve our security program and is committing to improve their work environment by implementing this safe harbor clause. We encourage other corporations to adopt similar policies and reap the benefits of a responsible disclosure program.