Twilio’s Bug Bounty Program: Where we are and where we’re going

April 27, 2020
Written by

Bug Bounty Banner

At Twilio, we design security from the ground up—but we know that’s not enough. That’s why we have carefully implemented a bug bounty program as part of our security strategy portfolio. By tapping into the skills and talent of researchers from around the world, we gain the benefit of a broad pool of security professionals helping us keep Twilio safe.

We started our bug bounty program in 2015 and have been working with the larger security community to better protect Twilio and its customers ever since. Today, as we have crossed an important milestone of paying almost 300k$ in bounties since inception to the research community.

Picture of a magnifying glass over a keyboard

Our bug bounty program to date

We want to look back and share how our program has matured over the years and provide a sneak-peek into what is coming in the near future.

  • Almost 1,300 researchers are participating in our bug bounty program
  • We received over 450 submissions in 2019. Of those, 50 were Priority 1 (P1), our top findings in vulnerability severity
  • We reduced the time to triage a finding from 6 days in 2015 to 3 days in 2019
  • Increased the maximum bounty to $8,000 for a P1 finding in core Twilio products. This is more than 3 times what we paid for a single finding in 2015
  • The total bounties paid increased 4 times from 2015 to 2019 from our public bug bounty program
  • Our average reward for a finding went up from $400 in 2015 to $1500 in 2019 
  • We implemented a Safe Harbor Program to better protect the researchers who help us build a more secure environment

We have opened up our bug bounty program to the public so that any researcher can participate around the world.  We believe that more input from a broader group will serve the greater community. This was made possible by BugCrowd’s top notch team who help triage submissions, so our team can focus on remediations.

Thank you for all the bug bounty submissions

Over the years we have worked with talented security researchers, received really impactful findings, and we have even seen cases where the researchers were awarded a Common Vulnerabilities and Exposures (CVE) as part of their submissions to Twilio’s program. We want to take this opportunity to thank the security community for helping us keep Twilio and it’s customers secure.

There are three researchers in particular we want to acknowledge for their invaluable contributions:

In 2020, we will improve both the scope and researcher experience in our program. We plan to add Twilio SendGrid assets and features to Twilio’s bug bounty program scope, send regular program updates to researchers with new scope, make process improvements to reduce triage time, and provide credits for research within our enterprise products.

Get involved and help make Twilio a safer platform. Visit our bug bounty program page to get started.