Bug Bounty Program

Security is a top priority for Ancestry. We employ a dedicated, highly skilled team that utilizes industry-standard tools and practices to safeguard your data and assets. We value the role of security researchers in identifying potential vulnerabilities on our site. If you discover a security issue or vulnerability on one of our sites including: www.ancestry.com; www.newspapers.com; www.findagrave.com; www.weremember.com; www.archives.com; www.fold3.com; www.progenealogists.com; www.genealogy.com; www.geneanet.org; www.geneastar.org; www.imemories.com or www.rootsweb.com, we urge you to report it to us by following the instructions provided below. Provided you adhere to all these instructions and have not previously violated them, Ancestry and its affiliates will not pursue legal action against you.

Reporting Guidelines

If you believe you have discovered a security vulnerability on our site, please report it to us by emailing the following details to [email protected].

Out-of-Scope

  • Missing Best Practice Headers: Reports simply stating that Clickjacking protection (X-Frame-Options) or CSP (Content Security Policy) is missing, without a proof-of-concept (PoC) showing a real-world exploit.
  • Self-XSS: Cross-site scripting that requires a user to copy-paste malicious code into their own console.
  • Social Engineering/Phishing: Testing employees or customers via fake emails or phone calls.
  • Physical Security: Attempting to enter offices, data centers, or tailgating employees.
  • Denial of Service (DoS/DDoS): Any testing that degrades the service for legitimate users is strictly forbidden.
  • Spamming: Using automated tools to send thousands of emails through a "Share this page" feature.
  • Duplicate or Collateral finding: different exploits lead to the same result or affect the same piece of code.
  • Parameter Variations: Exploiting ?id=123 versus ?user_id=123 on the same page.
  • Rate Limiting: Lack of rate-limiting protection reported on an endpoint.

When reporting a vulnerability, please include the following to help expedite your request:

  1. Vulnerability Description: A brief explanation of the issue.
  2. Domain: The affected domain.
  3. URL/Path: The specific URL where the vulnerability was found.
  4. Steps: Clear steps to replicate the issue.
  5. Evidence: Supporting images and/or video demonstrating the vulnerability.
  6. Contact Info: Your contact details so we can reach out with any questions.

Important Conditions for Disclosure:

  • No Third-Party Disclosure: Do not disclose the vulnerability to any third party while Ancestry (or Ancestry, as referenced) is evaluating your report.
  • No Exploitation: Do not attempt, or enable others to attempt, to exploit the issue or interact with any user accounts or data that is not your own.
  • Data Clean-up Requirement: Automated scanning to inject payloads into public data is prohibited. All test data, except for that within your personal account, must be cleaned up.

Ancestry is committed to promptly reviewing reports that follow these guidelines. We appreciate your patience and cooperation as we evaluate and fix reported issues. We will contact you if we need further information.