BugHunters — Bug Bounty Platform
    Back to Programs
    X (Twitter)

    X (Twitter)

    Social Media

    Global social media platform for real-time conversations, news, and public discourse with 500M+ monthly active users.

    https://x.com

    Max Reward

    $20,000

    Total Paid

    $3,100,000

    Resolved

    423

    Avg Response

    4 days

    In-Scope Assets

    x.com

    Web platform, timeline, and DMs

    X API

    REST API v2 and streaming endpoints

    X Mobile

    iOS and Android applications

    X Spaces

    Live audio conversations

    Out of Scope

    • Advertiser content
    • Third-party clients
    • Community Notes content

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (2)

    IDTitleSeverityStatusRewardSubmissions
    X-001DM content leakage via API pagination vulnerability
    High
    Open
    		$5,000–$15,0000
    X-002Account suspension bypass via API parameter manipulation
    Medium
    In Review
    		$1,000–$5,0001

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.