Rippling is, first and foremost, a security company. We understand that transparency is an important part of security, and we pride ourselves on working with the security community to identify and address vulnerabilities promptly.

Rippling encourages responsible disclosure of vulnerabilities with a bug bounty program

Bug bounty eligibility guidelines:

  • The vulnerability must have a clear security impact.
  • The vulnerability must be disclosed only to Rippling.
  • The vulnerability must not be a duplicate with a previous report.
  • You must not exploit the vulnerability to cause an adverse effect on other users, including gaining access to or modifying data of other users without their permission.
  • Vulnerabilities on 3rd party services and vulnerabilities requiring physical access, social engineering, or brute force are generally out of scope for the bug bounty program.
  • Rippling reserves the sole right to determine the eligibility and severity of the vulnerability and its bounty reward.

Please send reports to
and include the details necessary to reproduce the issue

For particularly sensitive information, you may use the following GPG key: