Privacy & Support

Bugs

How to report

How to report

Please don’t scan, probe, or test without written permission. Unauthorized testing is prohibited. If you’re part of an approved program, follow the scope and rules in writing: 

Report securely

Rules

Rules

  • No social engineering or physical attacks.
Rules
  • Do not access user data beyond proof of impact.
Rules
  • Include clear steps to reproduce.
Rules
  • Allow 72 hours for confirmation.
In scope

In scope

  • Auth + session handling
In scope
  • Payment + token flows
In scope
  • Public API endpoints
In scope
  • Privilege escalation
Out of scope

Out of scope

  • Rate limiting only
Out of scope
  • Self-XSS without impact
Out of scope
  • Third-party services
Out of scope
  • DoS testing
Rewards

Rewards

  • Critical: $2,000 - $5,000
Rewards
  • High: $800 - $1,500
Rewards
  • Medium: $250 - $600
Rewards
  • Low: $100 - $200