Facebook / Instagram Thank you for your reply. This issue has been discussed with the Facebook Security Team, and it is not eligible for the bug bounty program. It doesn't appear you are able to connect this to a specific Facebook user. Being able to tell if a user visiting your site is logged in, does not appear to have any significant security risk. All the same, we appreciate your report and look forward to your future bug bounty submissions. Twitter: Thank you for your report. While this looks interesting, I don't see how this issue poses a security risk to Twitter or its users. As such, I'm afraid this issue doesn't qualify for a reward under this program and will be closed. Thank you for thinking of Twitter Security Yahoo: Thank you for your submission. This is a known issue as brought up in a presentation by Jeremiah Grossman. We may investigate how to improve upon this in the future. Square: Thank you for your report. We have decided that this issue represents minimal risk and therefore no code or configuration change will be made. Dropbox: thanks! We are accepting the risk for now.