Reporting a vulnerability
Sourcegraph’s public bug bounty scheme is closed as of the 31st of March 2022. We are currently operating an invite-only HackerOne bug bounty program instead. If you have found a high or critical severity vulnerability in one of our products, please reach out to security@sourcegraph.com and we will assess whether the severity of the reported issue merits an invite to the program. Please note that a report to this email address is no longer considered a submission to the bounty scheme in itself.