PythonAnywhere offers a bounty for responsibly disclosed bugs. We determine the payout depending on the severity and impact of the submitted bug. We only pay out on the first report of a particular issue, so it's best if you contact us first to see whether we're already working on something.
Bug classes we're not really interested in
- "I can run code on your servers" - Yup. That's our business.
- Self XSS - If you can execute XSS-style attacks against your own account by uploading a file and then loading it in the browser, that's not particularly interesting to us.
- Auto-pwnage - "If I run this code it does something bad to my account/files/web apps"
Bug classes we're interested in
- General XSS, CSRF etc. - Can you get a user that is logged in to PythonAnywhere to do something malicious to their own account by e.g. having them follow a link?
- Cross-user exploits - Can you do something bad to another user on PythonAnywhere from your account? Unless you're a teacher doing something malicious to your students - there's an explicit trust relationship, there.
- Information leakage - Can you learn something private (see their files, access account information) about another user/account registered on PythonAnywhere?
Bug classes we're very interested in
- Session/cookie hijacking
- Privilege escalation in consoles, web apps and scheduled tasks
- Sandbox escape in consoles, web apps and scheduled tasks