Bug Bounty and Vulnerability Reports

Webflow values the work done by security researchers and responsible internet users in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.

Reporting Steps

For reporting vulnerabilities with the Webflow.com service (including the Webflow Dashboard, Designer, or Editor), or any Webflow published website (including webflow.io domains, and custom domains).

Please send issues directly to security@webflow.com using our PGP key. Please read the "Responsible Disclosure Guidelines" below before sending your vulnerability report.

For third party vulnerabilities we will forward them to the responsible owner and notify the reporter if appropriate.

Responsible Disclosure Guidelines

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you providing you comply with the following Responsible Disclosure Guidelines:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Do not modify or access data that does not belong to you.
  • Give Webflow a reasonable time to correct the issue before making any information public.