Security is very important to us and we appreciate the responsible, private disclosure of issues.
We pay $100 USD per accepted bug. Once we receive the bug reports we will take up to 14 business days to review and reply to them. If they meet our criteria we will pay $100 USD per unique bug reported.
The following bug types are specifically excluded from the bounty:
- Any reports for 3rd-party systems
- Descriptive error messages (e.g. Stack traces, application or server errors)
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking and issues only exploitable through clickjacking
- Self-XSS and issues exploitable only through Self-XSS
- CSRF on forms that are available to anonymous users (e.g. the contact form)
- Tab nabbing ( see Google's response )
- Stripping EXIF data from uploaded images
- Logout Cross-Site Request Forgery (logout CSRF)
- Presence of application or web browser "autocomplete" or "save password"
- Issues that require physical access to the device to carry out the exploit
- DMARC configuration not in quarantine or reject mode
- Wordpress XMLRPC or Rest API scripts not deleted (they are disabled as much as our host will allow)
- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.
Any duplicate bug reports that we have previously received will be excluded.
Any bug reports for which the fix is not feasible will be excluded.
When submitting a bug report please use firstname.lastname@example.org email and include as much information as possible (steps to reproduce, an explanation of why it is a bug, etc.).
Videos are encouraged.