There is a bug bounty! Chess.com will pay users who find the most severe vulnerabilities in our systems.
What kind of bugs do you pay for?
We do not pay a bug bounty for user interface, graphics, or data bugs which do not pose a security threat. However reporting these bugs through our “Report a Bug” system in the Help menu allows us to regularly award free memberships to Reporters who help us the most. Please read how to report these kinds of non-security threat bugs here.
We DO pay a bounty for severe vulnerabilities. "Vulnerabilities" are bugs which damage data or expose non-public data about our members or the company itself, or which allow a person who is not the owner of an account to act as the owner. Vulnerabilities may be minor to severe, and in some cases may require Chess.com to follow formal legal processes.
How much do you pay?
Depending on the severity of the bug, the reward is different, anywhere from 80 USD all the way up to 4000 USD for the most severe bugs.
You can read more about the details and the method for deciding the severity of bugs here.
How do I claim a bug bounty?
To claim a bounty for a vulnerability you have discovered, follow these steps:
Report your finding to bounties@chesscom.atlassian.net
You must report your finding to us first and exclusively.
Your report must include a proof of concept, working code, steps to replicate, or other documentation so that our technical teams can identify which systems are affected and how.
You must provide your real name and contact information for payment.
Only the first to submit a complete report on a given vulnerability will receive a bounty.
Payment will be made after the vulnerability is fixed and verified by our teams.
Regressions of previously fixed vulnerabilities will be paid at half price.
If you have any questions or concerns about this policy you may reach out to bounties@chesscom.atlassian.net