Bug Bounty Program. Find vulnerabilities, get rewarded.

Rules

Ground rules

• Test carefully: do not disrupt our services or use automated scanning tools.
• Only use your own test account. Never attempt to access other users' accounts.
• Notify us immediately if you gain access to our internal systems.
• Keep your findings confidential until we have resolved the issue.
• Only the first person to report a specific vulnerability receives the reward.

Scope

What we're looking for

We reward discoveries that represent real security risks. Rewards are higher for critical issues:

• Unauthorized access to other users' data (simply confirming the existence of an account does not count).
• Bypassing API security controls (e.g., rate-limit bypass, authentication bypass).
• Cross-site scripting (XSS) vulnerabilities.
• Remote code execution on our servers.
• SQL injection or other injection attacks.
• Authentication or session management flaws.

We only reward security vulnerabilities that could harm users or their data, not cosmetic bugs or broken features.

Exclusions

What we don't pay for

• Denial of service (DoS/DDoS) attacks or brute force attempts.
• Mixed content issues or SSL configuration problems.
• Social engineering or phishing attacks.
• Theoretical vulnerabilities without a working proof of concept.
• Missing security headers or standard hardening settings (e.g., password policy, email verification).
• Vulnerabilities in third-party services or dependencies outside our control.

Rewards

How we pay

The more critical the vulnerability, the higher the reward. There is no fixed cap. If you find something particularly serious or clever, we will reward you accordingly. Amounts are determined based on the potential impact of the vulnerability.

Payments are made in USD via PayPal after the vulnerability has been verified and resolved. Standard PayPal fees apply.

Report

How to report