Bumble Bug Bounty Program

Program Overview

Bumble runs a bug bounty program on HackerOne. The program has 50 in-scope assets and is managed by HackerOne's triage team.

In-Scope Assets

Asset	Type	Max Severity	Eligible
351331194	APPLE_STORE_APP_ID	Critical	Bounty
403684733	APPLE_STORE_APP_ID	Critical	Bounty
6444040977	APPLE_STORE_APP_ID	Critical	Bounty
930441707	APPLE_STORE_APP_ID	Critical	Bounty
api.geneva-staging.com	URL	Critical	Bounty
app.geneva-staging.chat	URL	Critical	Bounty
app.geneva-staging.com	URL	Critical	Bounty
badoo.com	URL	Critical	Bounty
badoocdn.com	URL	Critical	Bounty
bma.badoo.com	URL	Critical	Bounty
bma.bumble.com	URL	Critical	Bounty
ccardseu1.badoo.com	URL	Critical	Bounty
ccardsus1.badoo.com	URL	Critical	Bounty
chatdate.app	URL	Critical	Bounty
com.badoo.mobile	GOOGLE_PLAY_APP_ID	Critical	Bounty
com.badoo.twa	GOOGLE_PLAY_APP_ID	Critical	Bounty
com.bumble.app	GOOGLE_PLAY_APP_ID	Critical	Bounty
com.bumblebff.app	GOOGLE_PLAY_APP_ID	Critical	Bounty
com.genevachat.staging	OTHER_APK	Critical	Bounty
com.hotornot.app	GOOGLE_PLAY_APP_ID	Critical	Bounty
corp.badoo.com	URL	Critical	Bounty
deeplinks.geneva-staging.chat	URL	Critical	Bounty
deeplinks.geneva-staging.com	URL	Critical	Bounty
eu1.badoo.com	URL	Critical	Bounty
gateway.geneva-staging.chat	URL	Critical	Bounty
gateway.geneva-staging.com	URL	Critical	Bounty
geneva-staging.chat	URL	Critical	Bounty
go.geneva-staging.com	URL	Critical	Bounty
hotornot.com	URL	Critical	Bounty
https://testflight.apple.com/join/Y4cHu289	TESTFLIGHT	Critical	Bounty
links.geneva-staging.chat	URL	Critical	Bounty
links.geneva-staging.com	URL	Critical	Bounty
m.badoo.com	URL	Critical	Bounty
meu1.badoo.com	URL	Critical	Bounty
mus1.badoo.com	URL	Critical	Bounty
payments.geneva-staging.chat	URL	Critical	Bounty
payments.geneva-staging.com	URL	Critical	Bounty
presence.geneva-staging.chat	URL	Critical	Bounty
presence.geneva-staging.com	URL	Critical	Bounty
router.geneva-staging.com	URL	Critical	Bounty
social.geneva-staging.chat	URL	Critical	Bounty
social.geneva-staging.com	URL	Critical	Bounty
sockets.geneva-staging.chat	URL	Critical	Bounty
sockets.geneva-staging.com	URL	Critical	Bounty
translate.badoo.com	URL	Critical	Bounty
us1.badoo.com	URL	Critical	Bounty
web.geneva-staging.com	URL	Critical	Bounty
www.bumble.com	URL	Critical	Bounty
www.geneva-staging.chat	URL	Critical	Bounty
www.geneva-staging.com	URL	Critical	Bounty

Out-of-Scope Assets

• blog.bumble.com
• brand.bumble.com
• honey.bumble.com
• shop.bumble.com
• thebeehive.bumble.com

Tips for Hacking Bumble

1. Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
2. Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
3. Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
4. Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
5. Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.

Frequently Asked Questions

How do I start hacking Bumble?

Sign up on HackerOne, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.

Does Bumble pay bounties?

Yes, Bumble offers monetary rewards for valid security vulnerabilities.

What types of vulnerabilities does Bumble accept?

Bumble accepts reports for vulnerabilities found in their 50 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.