Envato Product Security

Security and privacy at Envato starts with our values.

At Envato, we understand security and privacy is important because we are in it for the community. This means we’re committed to working with our community, including through our security program to recognize helpful hackers that work with Envato.

Helpful Hacker Program

Our Helpful Hacker program allows our community to report product vulnerabilities to Envato. We operate the program based on the following principles:

Reporting a vulnerability

If you believe you have found a general security vulnerability in an Envato product you can use this form to report the vulnerability to us. We will confirm receipt and follow up with verification and target date for full disclosure following resolution.

For security issues related to your personal account you should contact our friendly Help Team.

Rules

Whilst investigating potential vulnerabilities, you must not:

If in doubt, get in touch first!

Scope

Included in scope are any products or services that reside under the following domains that are owned by Envato:

This program does not offer bounties or rewards, financial or otherwise. In recognition of our appreciation, Helpful Hackers will be added to either the Envato Systems Honor Roll or the Envato Author Item Honor Roll, depending on the scope of the vulnerability.

Qualifying vulnerabilities

While not extensive, this list provides some examples of what we are classing as a security vulnerability and will award to Helpful Hackers.

Non-qualifying vulnerabilities

If you are ever unsure about whether the vulnerability you are testing is questionable or may fall into the non-qualifying category, please get in touch with us for guidance.

Honor Roll - Envato Systems

Name Dates of reports
Hamza Mirawi — Linkedin
  • 22 May 2023
  • 26 February 2023
algisec1337 13 January 2023
Syed Sahel — Syed Sahel 10 December 2022
Muhammad Ali Azhar & Muhammad Mohsin Khan 12 October 2022
Nicolas Armua 25 June 2022
Zachary Sims — Zachary Sims 23 January 2022
Anil Bhatt — @anilbhatt934 24 December 2021
Xale Turkish Defacer — xalesecurity.wordpress.com 23 November 2021
Lunatio — lunatio.com
  • 18 October 2021
  • 15 October 2021
Luqman Hakim Yumnun — luqmanhakimy
  • 31 October 2021
  • 18 September 2021
Akansha Yadav 24 June 2021
Hassan Abbas Wadiwala 28 July 2021
Rahul Das Gupta — Rahul Das Gupta 27 July 2021
Radhika Mahato — RadhikaMahato4 05 July 2021
MD Ozaer (Crypt1cSoul) 05 July 2021
Abdeali — Abdeali 31 May 2021
Faizan Ahmad Wani — faizanwani20 29 May 2021
Arshad.U — Arshad.U 29 May 2021
Samprit Das — Samprit Das
  • 27 May 2021
  • 14 May 2021
Jay Kumar Pandey — Jay Kumar Pandey 24 May 2021
S Rahul — S Rahul 13 May 2021
Daniel Blindu 10 May 2021
Arjun Singh — Arjun Singh 23 Apr 2021
Abdelrahman Khaled — Abdelrahman Khaled 23 Apr 2021
IdZrack — IdZrack 22 Apr 2021
Ilham — rizzari13
  • 12 January 2022
  • 9 Feb 2021
Raghuveer Singh Chouhan — Shr3e
  • 9 Feb 2021
  • 8 Jan 2021
Syed Muhammad Uzair — @ghostuzair 31 Dec 2020
Roshani Pagare — roshani-p 26 Sep 2020 (x2)
Krishna Harishankar Yadav — krishna-yadav 14 Aug 2020 (x2)
Vijay Farswan 04 Aug 2020
Ashfaqul Haq — ashfaqul-haq 22 July 2020
Marek Jilek — mjilek.cz 19 June 2020
Hoang Quoc Thinh — www.vng.com.vn
  • 13 Jun 2021
  • 10 Jun 2020
Anas Khan 05 Jun 2020
Kamran Javed — kamranjaved 21 May 2020
Aditra Andri Laksana — @Wayc0de 16 May 2020
Santosh S Kumbhar 01 May 2020
Khaled Ben Ali — khaled-khaled 06 Apr 2020
Markos Bersimis — markbersimis 24 Mar 2020
Taha Smily — taha-smily 20 Mar 2020
Nitin Santosh Gavhane — nitin-gavhane 09 Nov 2019
Volodymyr "Bob" Diachenko — vdyachenko, @mayhemdayone 18 Oct 2019
Prakash Kumar Parthasarathy 15 Oct 2019
Eddie — zodiacgenie.com 8 Oct 2019
Rafid Hasan Khan — linkedin 3 Oct 2019
Hamza Farooqi — Hamza Farooqi, Hamza.Farooqii 29 Sep 2019
M. Arslan Kabeer — talha03066
  • 24 Sep 2019 (x4)
  • 10 Sep 2019
Wai Yan Aung — @waiyanaun9
  • 27 Feb 2021
  • 1 Jan 2020
  • 23 Sep 2019
Muhammad Fauzan 2 Sep 2019
Sohail Ahmed — mohammad.sohail.522 2 Aug 2019
Teguh Aprianto — teguh.co
  • 17 Jul 2019
  • 30 Jun 2019 (x2)
Mustafa Diaa — @c0braBaghdad1 23 May 2019
Ketan Madhukar Mukane — eSec Haxor 19 May 2019
Fabergé — hackerone.com/faberge 20 Mar 2019
Shady Gamal 21 Jan 2018
Sakhavat Ismayilov — fs-code.com 01 Oct 2018
RootBakar — Roholesi Talaohu 19 Sep 2018
Kirill Lemeshkin — ArtRecordsSoundWaves 31 Aug 2018
Abdillah Muhamad — abdilahrf.github.io 31 Aug 2018
Ibnu Batutah Zarizal — @batutahibnu17 26 Aug 2018
Rohit Dalvi — infovys.com 16 Jul 2018
NetSecAndy — @NetSecAndy1 14 Jul 2018
Syed Ashik Mahmud — ashthemes.com 12 Jul 2018
Abdelouahed Errouaguy — www.erropix.com 02 Apr 2018
I_am_botman — @botmaan 29 Mar 2018
Barrett Adams — @peewpw 8 Mar 2018
Muhammad Ibnuh — @ibnuhx 27 Feb 2018
Md. Nur A Alam Dipu — @Dipu1A 28 Jan 2018
Jaikishan Tulswani — @_iamjk 6 Jan 2018
Christian Hakizimana — kapp.rw 20 Dec 2017
Akalanka Ekanayake 9 Nov 2017
SerHack — serhack.me 28 Sep 2017
Vineet Kumar — Vineet Kumar 12 Sep 2017
Alexander Sidukov — @cyberopus 18 Aug 2017
Abdelali Khalfi — Abdelali 2 Aug 2017
Ivan Danilov — coderast 29 Jun 2017
Piyush Kumar — silverpoisionhub.blogspot.in 20 Jun 2017
Himanshu Rahi — himanshu.rahi.31 9 Jun 2017
Gamiel Xavier V. Manbiotan 30 May 2017
Shawar Khan — shawarkhanskofficial 22 May 2017
Mohammed Israil 7 May 2017
Alfie Njeru — the-infosec.com 4 May 2017
Gaurav Kumar — drago4344 2 May 2017
Syed Muhammad Abdul Karim 27 Mar 2017
Yasin Soliman — @SecurityYasin 8 Feb 2017
Kenan Genç — @hackergnc 7 October 2016
Dave Baker — dtbaker.net 1 October 2016
Alex Crivion — crivion.com 8 Sep 2016
Aaysha Khilji — @a1ksecurity 26 Aug 2016
Muhammad Abdullah — root.abdullah 03 Apr 2016
Eden Alon — eden.alon12 31 Mar 2016
Koen Rouwhorst — www.koenrouwhorst.nl 11 Jan 2016
Ramin Farajpour Cami — Saminray 8 Sep 2015
Syed Daniyal Bin Rashid — DaN1.mrcopypaste
SaifAllah benMassaoud — WhiteHatSecuri
4 Sep 2015
Ahmed Jerbi — Web Plus 3 Sep 2015
Zeeshan — zeex.zeeshan 27 Aug 2015
Sumit Sahoo — 54H00 5 Jul 2015
BALAJI P R — linkedin 30 Dec 2014
Sam Berson — @SamBerson 29 Oct 2014
Geert Smelt — @gasmelt 19 Sep 2014
Sajjad Hashemian — @skinodcom 11 Aug 2014
Mazen Gamal Mesbah — @MazenGamal 20 Aug 2014
Michael Wihl — gewora.net 31 Jul 2014
Tran Doan San — @doansan 2 July 2014
Bogdan Sergiu Dragos 7 June 2014
Kamil Sevi — @kamilsevi 20 May 2014
Amir Sohail 08 May 2014
Christy Philip Mathew — @christypriory 30 Apr 2014
Moujahed Jmal 05 Apr 2014
Mahadev Subedi 18 Mar 2014
Ahmad Ashraff 18 Mar 2014
Shpend Kurtishaj 11 Mar 2014
Abhishek Gahlot 1 Feb 2014
Chetan Soni — @iamchetansoni 25 Nov 2013
Janne Ahlberg 1 Nov 2012
Dejan Marjanovic 1 Dec 2011

Honor Roll - Envato Author Items

Name Dates of reports
Badshah — LinkedIn
  • 11 Feb 2023
  • 12 Feb 2023
Darshan Kulkarni — LinkedIn
  • 25 June 2022
Umair Farooqui — LinkedIn
  • 10 Feb 2022
  • 03 Aug 2022
Visse ☆ — visse
  • too many to list!
Sahil Gaikwad — LinkedIn 16 Dec 2020
Teguh Aprianto — teguh.co
  • 6 Nov 2020
  • 17 Jan 2020
Nirav Sikotaria — iamniravsikotaria
  • 17 Jan 2020
  • 6 Jan 2020
Aaryan Saharan — @aaryansaharan
  • 06 Jan 2020
  • 14 Jun 2019
  • 20 Apr 2019
Nils Putnins — seq.science
  • 19 Aug 2021
  • 28 May 2019
  • 10 Jan 2018
Ashik Mahmud ☆ — ashik685.me
  • 14 Jul 2018
  • 04 Jul 2018 (x4)
  • 1 Jul 2018 (x2)
  • 1 Jun 2018 (x2)
  • 27 May 2018
  • 5 Oct 2017
Deepak Holani — deepak.holani.5 3 Oct 2017
Anthony Briand — www.qurium.org
  • Nov 28 2018
  • Nov 14 2018
  • Jan 11 2018
  • Jun 8 2017
  • May 4 2017
Dawid Golunski — legalhackers.com 26 May 2017
Arbin Godar
  • 22 Feb 2017
  • 17 Oct 2016
  • 22 Sep 2016
  • 14 Sep 2016
  • 30 Aug 2016
João Pina — Twitter 16 Dec 2016
SWTE — on CodeCanyon 25 Nov 2016
rem1nd — @rem1nd_ 24 Oct 2016
Daniel Z 03 May 2016
Oszkar Bencsik 30 Mar 2016
Rahul Pratap Singh — 0x62626262.wordpress.com
  • 13 Mar 2016
  • 24 Jan 2016
  • 14 Jan 2016
  • 8 Jan 2016
Bevan Rudge — www.js.geek.nz 25 Mar 2015
Brett Chance — @uraniagroup 11 Sep 2014
Milan A Solanki 21 July 2014
Ajay Singh Negi — @AjaySinghNegi
Prashant Negi — @prashantnegi_
Mahipal Singh Rajpurohit
15 July 2014
☆ = over 10 successful reports