Smallpdf Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

Keeping user information safe is a top priority and a core company value for us at Smallpdf. We always welcome the contribution of external security researchers who put our security to the test. If you believe you have found a security vulnerability that might affect our users, please let us know right away via the openbugbounty platform or [email protected]. We will investigate all reports and do our best to quickly fix valid issues.

Testing Requirements:

Applications in Scope

In Scope for this Policy are the domain smallpdf.com and subdomains (*.smallpdf.com), with all its servers and services, the Smallpdf Desktop application, and the Smallpdf mobile applications (Android and iOS).


Responsible Disclosure

To encourage the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

- Share the security issue with us in detail;
- Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners are explicitly out of scope;
- Give us a reasonable time to respond to the issue before making any information about it public. We are committed to patching vulnerabilities within 90 days or less, but we may request additional time to address an issue when appropriate, usually in cases where a third party is involved and a coordinated response is required;
- Do not access or modify our data or our users’ data, without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
- Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Smallpdf;
- Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service);
- Otherwise comply with all applicable laws.


Out-of-scope Vulnerabilities

While we encourage any submission affecting the security of Smallpdf, unless evidence is provided demonstrating exploitability, the following examples are considered out-of-scope:
- Attacks that require physical access to a user’s device;
- Reports from automated tools or scans;
- Reports of spam (i.e., any report involving ability to send emails without rate limits);
- Any report that discusses how you can learn whether a given username, email address has a Smallpdf account (username enumeration);
- Any circumvention of our limitations;
- Being able to upload files with wrong file type;
- Social engineering of Smallpdf employees or contractors;
- Any physical attempts against Smallpdf property or data centers.

Possible Awards:

- $128 for small impact reports
- $256 or $512 for more impactful and serious reports.

Special Notes:

Consequences of Complying with This Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with this policy, Smallpdf will take steps to make it known that your actions were conducted in compliance with this policy.

Other Submissions Handling