Written by Suha Can, Chief Information Security Officer at Grammarly
At Grammarly, providing best-in-class writing support also means ensuring best-in-class security. A big part of our security-first mindset is maintaining internal safeguards—including programs and testing to identify and resolve issues before any occur. While our team strives to go beyond standard security practices to provide a service that is as secure as possible, we can’t do it alone. For additional assurance that our product stays ahead of security risks, we partner with ethical hackers to identify potential vulnerabilities before they become an issue.
Hackers collect over $200K in bug bounties
To ensure our customers always have the most up-to-date and secure version of our product offerings, Grammarly offers bug bounties—as high as $100K—to hackers in exchange for identifying critical security vulnerabilities. The more severe the exposure, the higher the reward paid to the hacker. Since 2018, Grammarly’s HackerOne bug bounty program has invited authorized hackers to join forces to help keep our websites, networks, exposed APIs, and cloud-native and mobile applications secure.
Helping to mitigate vulnerabilities and fend off potential attacks, the bug bounty program is essential for attracting the security expertise and resources of the ethical hacker community. To date, Grammarly has paid over $200,000 in bounties to hackers—the highest being $10,500—and resolved 130 valid reports. Our response time is 12 hours, and we take less than 17 hours to triage exposed issues. For more bug bounty stats, visit our HackerOne program page.
When it comes to helping protect user data, Grammarly Application Security Lead and top-ranked bug bounty hacker Vladimir S. understands the significance of our program. Before joining Grammarly, he was part of our ethical hacker program with HackerOne. When attempting to identify security vulnerabilities by hacking the Grammarly browser extension, Vladimir was so impressed by our dedication to security that he expressed interest in joining us. Bringing his impressive skillset and commitment to protecting customer data, he accepted a position as a software engineer on Grammarly’s Product Security team, where he helps us uphold the highest security standards for our product offerings.
$100K bounty set for Capture the Flag winner
A vital component of the bug bounty program is our Capture the Flag game—also known as Grammarly’s CTF challenge. Instead of a free-for-all where hackers seek to expose vulnerabilities, it’s a unique challenge where “capturing the flag” requires bypassing multilayered defenses built around our document-storing service. In this case, the flag is a specific user document that hackers attempt to “steal” from Grammarly in order to collect the bounty.
With a $100K reward going to the first hacker who reports a critical vulnerability through HackerOne, the CTF challenge is our most extensive bounty program to date. Offering such a robust bounty is integral to recruiting the finest hackers to help keep our users and product offerings safe. If you’re a hacker who wants to build and test your skills by finding bugs in simulated real-world environments, take the CTF challenge. Our invitation is open, and the $100K bounty stands!
Celebrating the hackers who safeguard our data
On behalf of Grammarly, thank you to all the ethical hackers who identify vulnerabilities and help us successfully reduce the risk of security incidents. We know you have many bounties, and we are grateful for your time and efforts as we raise the bar to ensure the security of our customers’ data. Maintaining their trust is an organization-wide commitment and cultural approach all Grammarly team members share. Millions of people use Grammarly’s product offerings every day and—thanks to the diligence of our friends in the hacker community—every user can trust that our software is safe and secure.