Welcome to the AT&T Bug Bounty Program! This program encourages and rewards contributions by developers and security researchers who help make AT&T's online environment more secure. Through this program AT&T provides monetary rewards and/or public recognition for security vulnerabilities responsibly disclosed to us.
The following explains the details of the program. If you are new to our Program, please be sure to review the Program Guidelines, Program Exclusions, and Terms and Conditions, as well as the Reporting and Awarding Process prior to making a submission.
The AT&T Bug Bounty Program applies to security vulnerabilities found within AT&T's public-facing online environment. This includes, but is not limited to, AT&T’s websites, exposed APIs, mobile applications, and devices.
A security bug is an error, flaw, mistake, failure, or fault in a computer program or system that impacts the security of a device, system, network, or data. Any security bug may be considered for this program; however, it must be a new, previously unreported, vulnerability in order to be eligible for reward or recognition. Typically the in-scope submissions will include high impact bugs; however, any vulnerability that could realistically place the online security of AT&T, our customers, or the public at large at risk is in scope and might be rewarded.
Bugs which directly or indirectly affect the confidentiality or integrity of user data or privacy are prime candidates for a reward. Some characteristics that are considered when "qualifying" bugs include those that:
AT&T Bug Bounty Program Board members, at their sole discretion, determine which bugs are considered as candidates for a reward, as well as the final reward recipients. See the Awarding Process for further details.
There are categories of bugs which are definitively excluded from reward in the AT&T Bug Bounty Program:
In addition, the submitter:
Vulnerabilities that are disclosed to any party other than AT&T, including vulnerability brokers, will usually not qualify for Bug Bounty reward. This includes both full public disclosure and limited private release.
Back to top
There are constraints on who may participate in the AT&T Bug Bounty Program (the "Program"). In addition, there may be additional restrictions depending upon applicable local laws.