Security & vulnerability reporting
We treat security reports as the highest-priority work that lands in our inbox.
How to report
Email [email protected] with reproduction steps, affected URLs, and (optional) a PoC. Encrypt sensitive findings with our PGP key at /.well-known/pgp-key.txt.
Our machine-readable policy lives at /.well-known/security.txt (RFC 9116).
Safe-harbor
We will not pursue civil action, criminal charges, or DMCA take-downs against researchers who:
- Make a good-faith effort to avoid privacy violations and service degradation;
- Use only their own test accounts;
- Do not exfiltrate data beyond the minimum required to demonstrate impact;
- Give us a reasonable window (90 days) to remediate before public disclosure;
- Comply with the rules in the disclose.io safe-harbor framework.
Bounty program
Eligible reports are rewarded based on impact and quality. Rewards are paid via Stripe transfer or PayPal within 14 days of triage.
| Severity | Reward range (USD) | Examples |
|---|---|---|
| Critical | $2,500 – $10,000 | RCE, full account takeover, payment bypass |
| High | $750 – $2,500 | Cross-tenant data exposure, IDOR on sensitive resources |
| Medium | $200 – $750 | Stored XSS, CSRF on state-changing endpoints |
| Low | $50 – $200 | Self-XSS, information disclosure with limited impact |
Out of scope
- Denial-of-service tests against shared infrastructure
- Reports from automated scanners with no manual analysis
- Missing security headers without a demonstrable exploit
- Self-XSS that requires the victim to paste arbitrary code
- Vulnerabilities in third-party dependencies that we have not yet integrated
- Best-practice suggestions without a concrete impact
Hall of fame
We credit researchers who report valid issues here with their consent. Email [email protected] to be added or removed.