Bright is now integrated with GitHub Copilot

Check it out! →
Product overview

See how dev-centric DAST for the enterprise secures your business.

Web attacks

Continuous security testing for web applications at high-scale.

API attacks

Safeguard your APIs no matter how often you deploy.

Business logic attacks

Future-proof your security testing with green-flow exploitation testing.

LLM attacks

Next-gen security testing for LLM & Gen AI powered applications and add-ons.

Interfaces & extensions

Security testing throughout the SDLC - in your team’s native stack.


Connecting your security stack & resolution processes seamlessly.


Getting started with Bright and implementing it in your enterprise stack.

Book a demo

We’ll show you how Bright’s DAST can secure your security posture.


Check out or insights & deep dives into the world of security testing.

Webinars & events

Upcoming & on-demand events and webinars from security experts.


Getting started with Bright and implementing it in your enterprise stack.

Case studies

Dive into DAST success stories from Bright customers.


Download whitepapers & research on hot topics in the security field.

About us

Who we are, where we came from, and our Bright vision for the future.


Bright news hot off the press.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

We're hiring

Want to join the Bright team? See our open possitions.

Bug bounty

Found a security issue or vulnerability we should hear about? Let us know!

Contact us

Need some help getting started? Looking to collaborate? Talk to us.

Bug Bounty Program

If you believe you have found a security issue or vulnerability, please submit the report to our security team by following the guidelines below


In-Scope Targets:

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Bright Security not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

This program excludes (regardless of coverage indicated above):

  • Clickjacking
  • External SSRF
  • Anything related to Mail Server Domain
  • Misconfiguration (including email spoofing, missing DMARC, SPF/DKIM, etc.)
  • Brute Force attacks on our Login or Forgot Password pages
  • Account lockout enforcement
  • Internal IP address disclosure
  • Username / Email
  • Enumeration
  • No Captcha / Weak Captcha /
  • Captcha Bypass
  • Missing HTTP security headers
  • Cookie Issues
  • SSL Issues
  • Weak password policies (length, complexity, etc.)
  • Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of Bright Security’s platform
  • Vulnerabilities that require social engineering
  • WordPress “issues” such as xmlrpc that are mitigated by our hosting provider
  • Out-of-date browsers and plugins
  • Vulnerabilities in 3rd party applications that do not directly affect our data or service
  • Spam of any kind
  • Denial of service attacks
  • Issues already known by us or previously reported to us by others
  • Issues that we have determined to be of acceptable risk

Submissions containing issues related to the above list of exclusions will not be eligible for reward. If you have found a vulnerability that is excluded by our program, you may still report it as part of our vulnerability disclosure program.

Act responsibly

The rules of responsible disclosure of vulnerabilities include, but are not limited to:

  • Avoid accessing, exploiting, or exposing any customer data other than your own.
  • Avoid any action that may cause a degradation of our services, or will harm our customers (for example overloading our systems)
  • Do not use any social engineering techniques, such as sending phishing emails to Bright Security’s employees, partners, or customers
  • When methods are used that do not comply with your local law and/or the above-mentioned responsibility rules, enforcement authorities will be notified


Our security team and engineers must be able to reproduce the reported security flaw. Make sure your report is clearly written and includes all the necessary information so we can reproduce the flaw. Please include:

  • Type of vulnerability 
  • When applicable, include the URL
  • The potential impact of the vulnerability
  • Step-by-step instructions to reproduce the issue, including any proof-of-concept or exploit code to reproduce
  • Screenshots and/or videos illustrating the vulnerability

Definition of a Vulnerability

To be eligible for a reward, your finding must be considered valid by the Bright Security security team. 


We base all payouts on impact and will reward accordingly. Please emphasize the impact as part of your submission.

We are particularly interested in:

  • Major exposures around customer data leak
  • Issues that result in full compromise of a system 
  • Business logic bypasses resulting in significant impact
  • Major operational failure (excluding Denial of Service related submissions)

Keep in mind:

  • Only one bounty will be awarded per vulnerability
  • If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
  • Our reward system is flexible.
  • We have no minimum or maximum amounts as rewards are based on severity, impact, and report quality.
  • Vulnerabilities affecting our platform or platform-related plugins typically have a higher impact.  


You can contact us via to report any vulnerability or if you have questions about this program.

Disclosure Policy

Bright Security understands the importance of disclosure of vulnerabilities and we are happy to allow disclosure in certain instances.


  • You must receive explicit permission from Bright Security if you would like to disclose any finding or vulnerability. This includes any findings listed on the program exclusion list above.
  • You may not discuss any vulnerabilities with anyone or on any forum outside of Bright Security’s bug bounty program, unless getting permission from Bright Security.
  • Reports that are not considered valid vulnerabilities (Informative, Spam, etc) are not eligible for disclosure.
  • Only resolved reports are eligible for disclosure.
    The request for disclosure must be made by the bug bounty hunter who originally reported the vulnerability to Bright Security.
  • Duplicate reports are not eligible for disclosure.

Requesting Permission

To request permission for disclosure, you may email
Bright Security has the right to approve or deny the request for any reason.

Violation of Terms

By participating in Bright Security’s bug bounty program, you are agreeing to this policy.

If any of the rules of this disclosure policy are broken, Bright Security has the right to legal action against the person who violated the rules. That person will also be banned from all future participation in the Bright Security bug bounty program.

Get our newsletter