Security Bounty Program

Overview

Data security and privacy are key aspects of our service. We welcome outside help through our bounty program to make us aware of any gaps in our security.

To participate you wll need to follow a few rules:

  • Be a good citizen: Do not disturb the service. Follow the terms and conditions. Avoid automated testing.

  • Only test with your data. Do not interact with other accounts.

  • Do not create more than one account.

  • If you gain access to our system, report it immediately.

  • Do not publish any information regarding the vulnerability until we have fixed it.

  • We only award one bounty per vulnerability. If we receive multiple reports, the first one will receive the reward.

Finally, please keep in mind this security bounty program doesn’t concern regular bugs in our application or API. We're only interested in security flaws allowing intruders to gain access to data of other users. If you wish to report a regular bug, contact us.

Reports we want

  • Tampering with data of other users.

  • Bypassing our API's security.

  • Cross-site scripting (XSS).

  • Server-side code execution.

Examples of Non-Qualifying exploits

  • Denial of service attacks.

  • Social engineering.

Reports we don't want

  • Missing DNSSEC configuration.

  • SSL BEAST/CRIME/etc

  • Email spoofing, SPF, DMARC & DKIM

Rewards

Our reward system is flexible and doesn’t have any strict upper or lower limit. The amount of the reward will depend on the severity of the vulnerability. The amount of the reward and whether or not a vulnerability qualifies will be at our sole discretion.

Rewards will be sent by bank transfer (Transferwise if the recipient is not in the Eurozone) once the vulnerability has been fixed and the reporter has supplied a valid invoice. All international transfer and conversion fees will be paid by the recipient / deducted from the reward.

Report submission

Please submit to the email address in our security.txt file. We will reply within five working days.

If you have any questions please get in touch via our contact form..

Hall of Fame

Thanks to the following researchers who have helped us debug various issues.

Start your free trial

2,500 API requests per day.

No credit card required.