Bug Bounty Program

Have you discovered a security issue with or another Gusto property?

Please let us know immediately. We are committed to addressing security issues in a timely manner and will pay a bug bounty for your responsible disclosure.

Report to immediately with a detailed description of the issue and the steps to reproduce it. Include a supplementary video recording if you can. We are committed to addressing security issues in a timely manner and will pay a bug bounty for your responsible disclosure. If you’d like a PGP key to encrypt your message, please email us and request one.

In-scope priorities

All content on any website, web application, or platform listed below (collectively, the “Properties”) qualifies for the Program:




  • *







Out-of-scope priorities

The sites, applications, platforms, and other properties listed below are out of scope and will not qualify for the Program. Please DO NOT test them:

  • * (Except for,, and, which are in-scope properties, as listed above)



  • (This is a production environment that will file irreversible forms to various government agencies and potentially move money to and from various bank accounts. Please use instead, which is our sandboxed environment.)


Non-Qualifying Vulnerabilities:

Depending on their impact, some reported vulnerabilities may not qualify for a reward. Although we do review each Vulnerability Report individually to determine whether a vulnerability is a Qualifying Vulnerability, below are some vulnerabilities that are unlikely to be Qualifying Vulnerabilities and are hence unlikely to earn a reward:

  • Best practices concerns

  • Clickjacking on pages with no sensitive actions

  • Content injection issues

  • Cross-site request forgery (CSRF) with minimal security implications (logout CSRF, etc.)

  • CSV injection

  • Flaws affecting the users of End of Life browsers and plugins

  • Fraud issues (while we welcome you to submit reports on fraud issues, we do not offer Rewards for them at this time)

  • Invite/promo code enumeration

  • Issues relating to Password Policy

  • Legitimate content proxying and framing

  • Missing autocomplete attributes

  • Missing cookie flags on non-security-sensitive cookies

  • Missing security headers that do not pose an immediate security vulnerability

  • Non-technical vulnerabilities, such as the physical security of Gusto’s offices

  • Open ports without including a proof-of-concept demonstrating the vulnerability

  • Open redirects (provided, however, that we do ask that you submit reports on open redirects with high security impacts, such as stealing oauth tokens)

  • Presence of banner or version information (provided, however, that if you believe that outdated software poses a legitimate security risk, please do report it to us)

  • Recently disclosed zero-day vulnerabilities - please wait four weeks before reporting these types of issues

  • Reflected file download (RFD)

  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)

  • SSL/TLS scan reports (this means output from sites such as SSL Labs)

  • Stack traces that disclose information

  • Vulnerabilities as reported by automated tools without further analysis as to how they pose a risk to Gusto

  • Vulnerabilities reported through a broker

  • Vulnerabilities requiring physical access to a victim’s computer

  • Window.opener-related issues