Security

Bug Bounty Program

Find bugs, get rewarded.

Help us improve our security and earn rewards. We invite security researchers to test our systems responsibly. If you find a vulnerability, we'll pay you for reporting it.

Report a vulnerability
Rules

Basic rules

  • 1Test carefully: don't disrupt our services or use automated scanning tools.
  • 2Use only your own test account. Never attempt to access other users' accounts.
  • 3Notify us immediately if you gain access to internal systems.
  • 4Keep any findings confidential until we've resolved the issue.
  • 5Only the first person to report a specific vulnerability receives the reward.
Scope

What we're looking for

We reward findings that represent real security risks. Bigger rewards go to more critical issues:

Unauthorized access to other users' data (merely confirming an account exists does not qualify).
Bypassing API security controls (e.g. rate-limit evasion, authentication bypass).
Cross-site scripting (XSS) vulnerabilities.
Remote code execution on our servers.
SQL injection or other injection attacks.
Authentication or session management flaws.

We only reward security vulnerabilities that could harm users or their data, not cosmetic bugs or broken features.

Exclusions

What we don't pay for

Denial-of-service (DoS/DDoS) attacks or brute-force attempts.
Mixed content or SSL configuration issues.
Social engineering or phishing attacks.
Theoretical vulnerabilities without a working proof of concept.
Missing security headers or standard hardening settings (e.g. password policy, email verification).
Vulnerabilities in third-party services or dependencies outside our control.
Rewards

How we pay

The more critical the vulnerability, the higher the reward. There is no fixed cap. If you find something particularly serious or clever, we'll compensate accordingly. Reward amounts are determined based on the potential impact of the vulnerability.

Payments are processed in USD via PayPal after the vulnerability has been verified and resolved. Standard PayPal fees apply.

Report

How to report

01

Submit

Fill out the vulnerability report form below with a detailed description and proof of concept.

02

Review

Our security team will review your report and respond within 7 business days.

03

Resolution

We work on a fix. We may reach out for additional details or clarification.

04

Reward

Once the vulnerability is verified and resolved, we process your reward in USD via PayPal.

Report

Report a vulnerability

Fill out the form below with as much detail as possible. Include steps to reproduce, impact assessment, and any proof of concept.