Doist bug bounty policy

Free

Premium

Business

The Doist bug bounty program is a critical component of our security efforts. We work hand-in-hand with folks who take the time to report issues that could put our customers’ security and privacy at risk.

If you've found vulnerabilities or security issues that we should know about, we'd love to work with you. You may even be eligible for a reward based on its severity.

Security Support Specialist Read our bug bounty program guidelines thoroughly to know which type of security issues we’ll be able to reward. Then, send a report using our contact form. Only reports submitted through our contact form will be considered for a bounty reward.

Program rules

Bug hunting can be a time-consuming process. To save time and effort when submitting your report, follow the bug bounty program rules:

Follow HackerOne’s disclosure guidelines.
Delete any test data or accounts you have created as part of the research.
Don’t attack or interact with customers.
Don’t engage with stolen customer data, including credentials.
Don’t use automated scans or testing, like DoS attacks.
Don’t use social engineering attacks, like phishing.
Don’t engage in physical testing of Doist employees or their equipment.
All information should be filled out in the report form. Please do not submit details in a separate document.

Any participant that doesn’t comply with the program rules are disqualified immediately.

Eligibility

You may be eligible to receive a reward if:

You’ve complied with all the program rules.
You're the first person to submit a specific product vulnerability.
The vulnerability is considered to be a valid security issue.
You can provide additional information to reproduce and address the issue.

These are the eligible targets for vulnerabilities and security risks:

www.todoist.com
app.todoist.com
www.twist.com
Latest versions of Todoist and Twist for macOS, Windows, Linux, iOS and Android

For testing purposes, use todoistbounty@protonmail.com as the victim account.

The Doist Bug Bounty team retains the right to decide if the submitted vulnerability is eligible.

Rewards

All bounty amounts are determined by the Doist Bug Bounty team. They evaluate each report and assign a severity level that determines the amount of the Todoist Pro time to be received. The Pro time can only be received on your personal Todoist account.

As of February 16, 2026, these are the rewards we offer:

Severity	Todoist Pro Time
Low	3 months
Medium	1 year
High	3 years
Critical	10 years

Issue severity

The severity levels are decided internally based on the type of vulnerability and potential impact. Here’s are sample reports for each severity level:

Severity level: None — no reward

Issues not related to security, such as non-200 HTTP response codes, EXIF metadata exposure, application or server errors, etc.
Issues related to bypassing plan limits or rate limits through parallel requests, or missing rate limits, unless it could lead to an exploitable vulnerability.
Issues involving AI prompt disclosure, such as obtaining or exposing the system prompts used in our AI features (e.g., Ramble).
Issues without a clear security impact, such as logged-out CSRF, missing HTTP security headers, SSL issues, password policy issues, session management issues or clickjacking on pages with no sensitive actions.
Issues affecting outdated applications or components, no longer in use or maintained.
Issues affecting third-parties, such as third-party apps or services we use (e.g., Firebase, ZenDesk).
Issues involving Spam or Social Engineering techniques, such as SPF and DKIM, and lack of DNSSEC.
Issues involving server information disclosure, namely `X-Powered-by` and `Server` response headers. Exceptions may exist whenever disclosed information contains a server version with an associated CVE disclosure.
Issues involving server-side request forgery (SSRF) on services that perform active requests by design, unless it is proven that sensitive information can be leaked.
Issues related to users uploading files containing malicious code (e.g., viruses or malware). Reports about vulnerabilities in the file upload mechanism itself are still in scope.
Bugs requiring exceedingly unlikely user interaction. (eg. account takeover through SSO login).
Reports that require privileged access to the target's devices or that are otherwise outside our control. These include but are not limited to: access to browser cookies and/or other tokens used to impersonate the user, access to user's email address, etc.
Clickjacking issues that occur on pre-authenticated pages, or the lack of `X-Frame-Options`, or any other non-exploitable clickjacking issues.
Cross-OriginResourceSharing (CORS) issues, where server does NOT respond with `Access-Control-Allow-Credentials: true` header.
HTML injection in areas requiring unlikely interaction.
Exposure of sensitive data on digital archives websites.
User email enumeration on sign up, log in, and forgot password pages.
Files available in URIs with a path starting with `/.well-known` (also known as well-known URIs).
2FA bypass through password reset.
Specific to client apps
- User data stored unencrypted
- Lack of obfuscation
- Runtime hacking exploits that involve manipulation of running code or its environment
CSV injection using Todoist template export feature which could be executed by the application opening the CSV file.

Severity level: Low

Open redirections
Server misconfiguration or provisioning errors
Information leaks or disclosure excluding sensitive user data
Cross-OriginResourceSharing (CORS) issues, where server responds with `Access-Control-Allow-Credentials: true` header to a request with 3rd party `Origin` header (i.e. not `*.todoist.com`, `*.twist.com`)
Reflected XSS
Mixed content issues, if the target URL doesn't respond with a 'Strict-Transport-Security' (aka HSTS) header. The risk still exists but is limited to a single interaction per domain/subdomain (depending on HSTS value). Web browsers have been transitioning to an HTTPS default, further mitigating this problem.
Other low-severity issues

Severity level: Medium

CSRF / XSRF
SSRF to an internal service
Stored XSS
Other medium-severity issues

Severity level: High

Information leaks or disclosure including sensitive user data
Other high-severity issues

Severity level: Critical

SQL injection
Remote code execution
Privilege escalation
Broken authentication
SSRF to an internal service, resulting in critical security risk
Other critical-severity issues

Submit a report

Ready to submit your bug bounty report? These are the steps:

Open the Doist Bug Bounty contact form.
Provide a detailed report that includes:
- Clear reproducible steps
- Impact on our products or customers
- Any test accounts you may have used
- Test data you gathered from your tests
- A video proof of concept demonstrating the vulnerability
Report independent vulnerabilities in separate reports.
Give the report a clear title that describes the vulnerability.
Click Send to submit your report.

Any report without clear reproduction steps or that includes only proof of concept video may be ineligible for a reward.

Get in touch

If you have any issues with the Bug Bounty contact form or have general questions about the bug bounty program that are not addressed here, get in touch with us.