We invite security researchers to investigate vulnerabilities in Canva, so long as your research follows this responsible research and disclosure policy.
What you need to do
Avoid harm or risk to Canva, our users, or third parties.
This is common sense, but guidelines can be found below on what we’re not looking for.
Report through a legitimate channel.
This includes our bug bounty program or the form below.
Don’t disclose without our agreement.
Keep information about potential vulnerabilities confidential between yourself and Canva until Canva has verified the vulnerability, and has then had at least 90 days to resolve it.
What you can't do
No privacy violations.
Respect privacy by only using accounts you have created.
Nothing that degrades our service.
Examples include Denial of Service and modifying configurations. Instead, show deficiencies in any rate limiting through a well-targeted test.
No deletion or damage of resources.
Instead, limit damage to resources you create or own.
No creation or sharing of inappropriate content.
Just keep any content you generate as part of a proof-of-concept simple and respectful of others.
No lasting harm.
Avoid leaving persistent payloads, XSS or the like behind you. Instead, use non-harmful payloads, track what you do, limit who is exposed as much as possible, and clean up!
No targeting our staff, investors or physical environment.
This includes spear phishing and physical testing.
How we'll respond
If you follow these guidelines we commit to:
Not pursuing or supporting legal action related to your research.
Working with you to understand issues, and resolve them if Canva considers it necessary.
Taking steps to make it known that your actions were conducted in compliance with these guidelines if a third party initiates legal action against you in connection with activities in our progams scope.
As part of encouraging security researchers to put our security to the test, we offer a variety of rewards for doing so if:
The reported vulnerability is verifiable
It hasn't been reported already
You've conducted your activities in a manner consistent with our guidelines
Rewards are provided at Canva's discretion based on the severity of the bug and the quality of the report.