SEMrush Security Info
Our vulnerability-reward payouts will go up to $3,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $50.
- Reflected XSS $100
- Stored XSS from $150 to $250
- SSRF from $300 to $1,000
- Security misconfiguration up to $500
- Broken authentication up to $1,000
- Injection and RCE up to $3,000
- Automated testing is not permitted.
- Follow HackerOne's Disclosure Guidelines.
- Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.
- When duplicates occur, we award the first report that we can completely reproduce.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- We award bounties at time of validation, and will keep you posted as we work to resolve them.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- We only accept the latest version of browsers for Google Chrome, Mozilla Firefox, Opera, Safari, and Edge.
- Any other issues related to software not under SEMrush's control
While researching, we'd like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of SEMrush staff or contractors
- Any physical attempts against SEMrush property or data centers
- CSRF - site wide and known issue
The following bugs are unlikely to be eligible for a bounty:
- Missing DNSSEC settings (we're working it)
- Issues found through automated testing
- "Scanner output" or scanner-generated reports
- Attacks requiring physical access to a user's device
- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages
- Brute Force attacks
- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues
- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections
- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)
- SSL/TLS best practices that do not contain a fully functional proof of concept
- Tab nabbing and window.opener-related issues
- Vulnerabilities affecting users of outdated browsers, plugins or platforms
- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
- Bugs that do not represent any security risk - these should be reported to email@example.com
- IDN homograph attacks
When you test requests to API or with API key - be careful - change api key to test auth issues not cookies.
SEMrush Security Info
Security of data centers
Data center compliance
All data centers have all relevant best practice compliance certificates.
Physical security of data centers
Physical security of data centers is ensured through a number of measures, including strict control of personnel access to the data center premises, as well as access control of third parties.Also, access to data centers is regularly reviewed, activities and incidents are monitored on a 24/7 basis, CCTV recordings of physical access points to server rooms are provided, and electronic intrusion detection systems are in place.
Data centers manage climate and temperature to prevent overheating. They are equipped with automatic fire detection and suppression systems, and water leaks detection systems. In addition, electrical and mechanical equipment are monitored. All data centers are redundant and maintainable 24/7.
Uptime of the service
The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.8% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. SEMrush data is backed up to multiple durable data stores and replicated across multiple Availability Zones.
Where feasible, production databases are designed to replicate data between no fewer than one primary and one secondary database. All databases are backed up and maintained using industry-standard methods at a minimum.
Since SEMrush conducts its business around the world, we have several offices in different parts of the world. Our offices are located in four countries on two continents (USA, Russia, Czech Republic and Republic of Cyprus). Due to the distribution of offices, we take security very seriously.
Physical security of offices
All our offices are equipped with video surveillance and intrusion detection systems. Access to all office spaces is regulated by an access control system, and is guaranteed only to employees or visitors who have registered or temporary access cards. All visitors must be accompanied by responsible employees.
Each office meets all fire safety requirements and is equipped with a fire alarm and fire extinguishing systems.
Vetting employees before hiring
We prioritize information security when our employees process users’ data, so for all critical positions, we ensure that all staff members have been fully vetted before hiring . Furthermore, all employees go through several interview stages with our HR specialists.
All our employees sign a non-disclosure agreement before starting work.
We provide security awareness training for all new employees, as well as annually for all employees. Training is carried out both through an electronic platform, and materials and posters displayed at all offices.
We provide training for our product developers in accordance with OWASP best practice for secure programming. Every year , we hold the Capture the Flag (CTF) challenge for all developers.
Data in transit
SEMrush makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. SEMrush HTTPS implementation uses industry-standard algorithms and certificates.
Data at rest
Stored information is protected by strong encryption. Data centers use AES-256 encryption for secure data storage, while employee endpoints are controlled using the MDM system. We use strong encryption methods to securely store information on our endpoints.
Network access control mechanisms are designed to prevent network traffic that uses unauthorized protocols from reaching the Services infrastructure. The technical measures implemented differ between infrastructure providers, and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Staging, testing, and development environments are logically separated from each other. No personal or service data is used in testing or development environments.
Our Quality Assurance staff are responsible for continuous quality testing of our product. They also conduct basic security testing.
The Security team reviews parts of code stored in SEMrush source code repositories, checking for coding best practice and identifiable software flaws.
SEMrush conducts penetration tests every six months. The object of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios. In addition, the Security team conducts partial penetration tests of new features every week.
Bug Bounty program
A Bug Bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws. SEMrush has implemented a Bug Bounty program in an effort to widen the available opportunities to engage with the security community and improve the service’s defenses against sophisticated attacks.
External threats protection
SEMrush has implemented a Web Application Firewall (WAF) solution to protect internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly-available network services.
Single sign-on: We have integration with SSO SAML. SSO can be enabled at any time by contacting product support.
Two-factor authentication: Our product supports two-factor authentication. It can be easily enabled to make accounts more secure.
Interaction with contractors
In order to provide the service in accordance with DPA, SEMrush maintains contractual relationships with vendors. SEMrush relies on contractual agreements, privacy policies, and vendor compliance procedures in order to protect any data processed or stored by these vendors.
Supplier security verification
We have a security verification process for each supplier. This process is carried out using a mathematical model for calculating the cybersecurity rating (CSR).
GDPR and CCPA
Personal data retention
Users’ personal data is deleted once no longer necessary for the stated purposes. However, we must sometimes continue to store user data until the retention periods and deadlines set by the legislator or supervisory authorities expire. We may also retain user data until the statutory limitation periods have expired, provided that this is necessary for the establishment, exercise, or defense of legal claims.
SEMrush has designed its infrastructure to log extensive information about system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. SEMrush personnel, including security, are responsive to known incidents.
SEMrush maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, and support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, SEMrush takes appropriate steps to minimize user damage and unauthorized disclosure, and to prevent future incidents.
Notification in case of incident
If SEMrush becomes aware of unlawful access to data stored within its services, we notify the affected users of the incident, provide a description of the steps that are being taken to resolve the incident, and provide status updates to the user, as necessary.
Security management and compliance
Security policies and procedures
We have developed policies that are communicated annually to all staff. We also have specific policies that are communicated to the personnel they affect. Policies cover the main areas of information security.
PCI DSS compliance
We have fully implemented and support all processes related to PCI DSS compliance. Once a year, we confirm our compliance by passing an independent QSA audit. As a result, we have achieved a PCI DSS Level 1 certificate. In addition, we have expanded the range of applicability of certain requirements of this standard to the entire company, including training for all employees, training for developers, data transfer and storage. A valid PCI DSS certificate can be found here.