We recognize and reward security researchers who help us keep users safe by reporting vulnerabilities. Monetary bounties for such reports are at our sole discretion, based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report.
If we pay a bounty, the typical reward ranges from $50 ~ $100 and the reward will be sent by Paypal. For duplicated reports, we only reward the first person to submit the report. Note that extremely low-risk issues may not be qualified for a bounty.
To potentially qualify for a bounty, you need to follow these rules:
Don't access, modify, or delete data from any other user's account;
Don't perform any attack to harm the reliability/integrity of our services or data;
Allow a reasonable amount of time for us to respond to your report before publicly disclosing details of your exploit.
We will NOT pursue legal action against security researchers who follow the rules outlined in this page and responsibly disclose vulnerabilities to us.
Spam or social engineering techniques;
Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope;
Denial of Service (DoS);
User / email enumeration;
Any kind of XSS (Cross Site Scripting);
Any kind of CSRF (Cross-site request forgery);
Any kind of content injection; content spoofing; or HTML injection;
Insecure cookie settings for non-sensitive cookies;
Strict-Transport-Security or other HTTP response headers
DNS or Email (SPF/DKIM/DMARC/PTR) configurations
Bugs requiring extremely unlikely user interaction;
UI/UX bugs or spelling mistakes.
Please send an email to firstname.lastname@example.org, and provide full details of the vulnerability, including detailed steps on how to replicate it, so that we can validate your report.
Please allow up to 48 hours for an initial response. Also realize that spam filters and email in general can sometimes be problematic.
If you do not want to be publicly thanked on our website (or elsewhere), please let us know in your report email that you want your submission to be confidential. We can still provide rewards for confidential submissions if requested.