We value that you disclose bugs found to us in a responsible manner to firstname.lastname@example.org, and encourage you to look for them. However, we do not have a paid bounty program running at the moment, so we cannot reward you with anything you find except our eternal gratitude.
While we encourage you to look for bugs, please adhere to the following rules to ensure service is not disrupted for other users.
- Do not attempt to gain access to someone else's account or data.
- Do not perform attacks that might impact service availability, like DDoS or spam attacks.
- Do not publicly disclose a bug before it has been fixed.
- Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we'll probably ban your IP address.
- Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- When in doubt, ask.
As long as you adhere to the rules, we promise a human will respond within 1-2 business days and keep you updated as we work to fix the bug you found. We will not take legal action against you as long as you play by the rules.