Cookie Bounty

Last updated on June 26, 2024

We at Sentry went on the path of removing all the non-essential cookies and other trackers (referred to as cookies throughout) from our public sites. Throughout the process we understood this is not an easy job and may be hard to maintain, therefore we encourage everyone to report the unexpected cookies they’ve found on our site. Valid reports will be monetarily rewarded.

Processes

Send your findings of cookies which are not listed in the Essential Cookies section of this policy to cookiebounty@sentry.io and include the following information:

• Name of the cookie(s)
• Domain of the cookie(s), note that is different from the domain of the page visitied
• URL of the page where the cookie(s) have been dropped
• Steps or tools to reproduce the cookie(s), if applicable
• Any Screenshots that can help us validate the report
• Your HackerOne username (you can create a free HackerOne account if you don’t already have one)
• Your preferred contact email (if different from the email you used for sending the report)

Once we receive and validate the report, we will invite you to our HackerOne program as we utilize the HackerOne platform to provide safe-harbor for both sides and handle bounty payouts.

🚨 To help us reduce false positives, please ensure your finding(s) can be reproduced in Chrome’s Incognito mode or Firefox Private Browsing with all extensions or plugins disabled. We also recommend you clear your cache before reproducing your result. Thank you!

Policies and Expectations

• Every valid report will be rewarded with USD $100.
• The same cookie found on different pages will be treated as a single valid report.
• Multiple cookies resulting from the same source will be treated as a single valid report.
  • e.g. a script that drops 3 cookies will be considered as one valid report, not 3.
• When duplicate reports occur, we only reward the first report that was received.
• Submissions for items not listed in scope will be considered on a case-by-case basis.
• The Cookie Bounty is not a bug bounty program, and is different from the Sentry Private Bug Bounty program. The policies of Sentry private bug bounty program do not apply to the Cookie Bounty program.
• We follow the HackerOne Safe Harbor standard and provide Safe Harbor protection for any reporters that follow our policies and processes.
  • This is the reason we asked for your HackerOne username.
  • You should contact us for clarification before engaging in conduct you think may be inconsistent with Good Faith Research or unaddressed by our policy.
  • Keep in mind we are not able to authorize research on third-party infrastructure, and a third-party is not bound by this safe harbor statement.

Scopes

In-Scope

• https://sentry.io
• https://blog.sentry.io
• https://help.sentry.io
• https://open.sentry.io
• https://status.sentry.io
• https://sentry.engineering
• https://sentry.design
• https://answers.sentry.dev
• https://fsl.software

Out-of-Scope

• Any cookie listed in the Essential Cookie List, as they are determined as essential to our sites.
• Any cookie found on Sentry owned sites not listed in the In-Scope section
• Cookies on any sites that are not hosted on a Sentry-owned or managed domain.
• Any cookie on non-public facing pages (e.g. pages that require authentication before you can access)
• Any cookie that is disabled or blocked by default

Essential Cookies

Cookies that are considered essential for our websites, and are out-of-scope for the Cookie Bounty.