Privacy & Support
Bugs
How to report
Please don’t scan, probe, or test without written permission. Unauthorized testing is prohibited. If you’re part of an approved program, follow the scope and rules in writing:
Rules
- No social engineering or physical attacks.
- Do not access user data beyond proof of impact.
- Include clear steps to reproduce.
- Allow 72 hours for confirmation.
In scope
- Auth + session handling
- Payment + token flows
- Public API endpoints
- Privilege escalation
Out of scope
- Rate limiting only
- Self-XSS without impact
- Third-party services
- DoS testing
Rewards
- Critical: $2,000 - $5,000
- High: $800 - $1,500
- Medium: $250 - $600
- Low: $100 - $200