The following guidelines give you an idea of what we usually pay out for different classes of security issues. Low-quality issues may be rewarded below these tiers, so please make sure that there is enough information for us to be able to reproduce your issue and step-by-step instructions including how to reproduce your issue. Screenshots are also helpful, but please make sure to not make these public before submitting them to follow our program’s rules.
|600 USD - 1200 USD||400 USD - 600 USD|
|600 USD - 1200 USD||400 USD - 600 USD||200 USD||100 USD||50 USD|
Rules for reporting
- Report a qualifying vulnerability that is in the scope of our program (below).
- Be the first person to report the vulnerability.
- Be reasonable with automated scanning methods so as to not degrade services.
- Refrain from disclosing the vulnerability until we've addressed it.
- NEVER try to gain access to a real user's account or data.
- You must not leak, manipulate, or destroy any user data.
- Do not impact users with your testing.
Out of scope
What we are looking for
- Cross site scripting (XSS)
- Cross site request forgery (CSRF)
- Insecure direct object reference (IDOR)
- Account takeovers
- SQL Injection
- Authentication flaws
- Remote code execution (RCE)
- Server side request forgery (SSRF)
- XML External Entity Attacks (XXE)
- Anything not listed but important
What we are not looking for
- Vulnerabilities requiring physical access to the victim's unlocked device
- Denial of Service attacks
- Brute Force attacks
- Spam or Social Engineering techniques
- Content Spoofing
- Best practices concerns
- Issues relating to Password Policy
- Issues relating to token lifetime
- User enumeration
- Full-Path Disclosure on any property
- CSRF-able actions that do not require authentication (or a session) to exploit
- Reports related to missing security headers
- CSV Injection
- Reverse Tabnabbing
- Bugs that do not represent any security risk
- Vulnerabilities that are limited to unsupported browsers