Bug Bounty Program

Earthlink looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.


Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, 

and reward decisions are up to the discretion of Earthlink.

9.0 - 10.0


8.0 - 8.9


7.0 - 7.9


5.0 - 6.9


4.0 - 4.9


0.1 - 3.9


Disclosure Policy

  • let us know as soon as possible upon discovery of a potential security issue.
  • Respect privacy. Make a good faith effort not to access or destroy users data.
  • Be patient. Make a good faith effort to clarify and answer all Earthlink’s questions and inquiries.
  • Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities.
  • Be cautious. During your research, if you think a test that you have to make will have a great impact on service or data integrity (data may be corrupted or completely destroyed), then you will need to inform Earthlink Security team in advance, and work with them to get specific approval and mitigate any potential damage that may occur.

Program Rules

Program Scope

  • Remote Code Execution
  • SQL Injection
  • Unrestricted File System Access
  • Significant Authentication / Authorization Bypass
  • Cross-Site Scripting (excluding self-XSS)
  • Cross-Site Request Forgery on critical actions (such as changing username/password)
  • Any vulnerability that affects our users/servers
  • DoS attacks

Out of scope vulnerabilities

  • CSRF on forms that are available to anonymous users (e.g. Contact Forms)
  • Self-XSS or XSS bugs requiring an unlikely amount of user interaction
  • Missing HTTP security headers, specifically: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy
  • Vulnerabilities affecting users of outdated or unsupported browsers or platforms
  • Reports of spam, phishing or security best practices
  • Tabnabbing
  • Email configuration issues (SPF, DKIM, DMARC)
  • Weak Captcha / Captcha Bypass
  • Forced Login / Logout CSRF
  • DDoS attacks
  • Spreading malware/virus into our network
  • Social engineering (e.g. phishing, vishing, smishing)

If you read our bug bounty program and still believe you found valid vulnerability please contact us at:

Scroll to top