---
title: Railway Bug Bounty
description: Railway pays researchers for valid security vulnerability reports. Submissions are scored against CVSS 3.1.
url: https://railway.com/bug-bounty
---

# Railway Bug Bounty

Railway runs an active bug bounty program for security researchers. If you've found a vulnerability in railway.com or the platform, email the report to bugbounty@railway.com.

Full program terms are in the policy PDF: https://railway.com/bug-bounty-program.pdf

## Rewards

- Bounty rewards are calculated according to the CVSS 3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator).
- Some report types may receive a fixed reward or be evaluated case-by-case at the program owners' discretion.
- Valid reports are typically rewarded within 30 days of acceptance, often sooner.

## Eligibility

- Be at least 16 years old (with guardian permission if a minor in your jurisdiction).
- Not employed by Railway or an immediate family member of an employee.
- Not in a country subject to US export sanctions or trade restrictions.
- Not in violation of any law in connection with the program.

## The DOs

- Abide by the program terms.
- Respect privacy and avoid accessing, processing, or destroying personal data.
- Test only with your own personal/test accounts.
- Be patient and provide clarifications to questions about your report.

## The DO NOTs

- Don't leave any system in a more vulnerable state than you found it.
- Don't brute force credentials, run DoS/DDoS, upload shells, or backdoor systems.
- Don't publicly disclose a vulnerability without explicit consent.
- Don't social engineer Railway employees, customers, or partners.
- Don't exfiltrate or interact with data or accounts that aren't yours.

## Out of scope

Common out-of-scope reports include phishing/social engineering attempts, missing SSL/TLS hardening, output of automated scanners without a working PoC, rate limiting, open ports without an exploit, CSV injection, self-XSS, banner grabbing, and DDoS.

## Submit a report

- Email: bugbounty@railway.com
- Policy PDF: https://railway.com/bug-bounty-program.pdf

## Related

- Security overview: https://railway.com/security
- Terms of service: https://railway.com/legal/terms
- Privacy policy: https://railway.com/legal/privacy

---

Open this page in a browser:
<a href="https://railway.com/bug-bounty">https://railway.com/bug-bounty</a>
[https://railway.com/bug-bounty](https://railway.com/bug-bounty)