We invite security researchers to investigate vulnerabilities in Canva, so long as your research follows this responsible research and disclosure policy.
This is common sense, but guidelines can be found below on what we’re not looking for.
This includes our bug bounty program or the form below.
Keep information about potential vulnerabilities confidential between yourself and Canva until Canva has verified the vulnerability, and has then had at least 90 days to resolve it.
Respect privacy by only using accounts you have created.
Examples include Denial of Service and modifying configurations. Instead, show deficiencies in any rate limiting through a well-targeted test.
Instead, limit damage to resources you create or own.
Just keep any content you generate as part of a proof-of-concept simple and respectful of others.
Avoid leaving persistent payloads, XSS or the like behind you. Instead, use non-harmful payloads, track what you do, limit who is exposed as much as possible, and clean up!
This includes spear phishing and physical testing.