Security Bounty Program


Data security and privacy are key aspects of our service. We welcome outside help through our bounty program to make us aware of any gaps in our security.

To participate you wll need to follow a few rules:

Finally, please keep in mind this security bounty program doesn’t concern regular bugs in our application or API. We're only interested in security flaws allowing intruders to gain access to data of other users. If you wish to report a regular bug use the contact form.

Reports we're interested in

in scope

Examples of Non-Qualifying exploits

Reports we don't want


Our reward system is flexible and doesn't have any strict upper or lower limit. The amount of the reward will depend on the severity of the vulnerability. The amount of the reward and whether or not a vulnerability qualifies will be at our sole discretion.

Rewards will be sent by bank transfer (Wise if the recipient is not in the Eurozone, we will not make financial rewards to countries not supported by Wise) once the vulnerability has been fixed and the reporter has supplied a valid invoice. All international transfer and conversion fees will be paid by the recipient.

We only award one bounty per vulnerability. If we receive multiple reports, the first one will receive the reward.

Report submission

Please submit to the email address in our security.txt file.

Hall of Fame

Thanks to the following researchers who have helped us debug various issues.

  • Om Dubey
    Made us aware we were not adequately handling all aspects of the hand-off from Stripe post-purchase.
  • Md Sojib Islam Nirob
    Setting email address as password is insecure and we block that on signup and update email feature. We forgot to do the same on reset password feature.
  • Srikar V
    Visiting the enable-two-factor directly in a later session would display the already used initial setup (QR) code again.
  • Ranjeet Kumar Singh
    When multiple email change processes were initiated a user could be confused which email confirmation link to click (emails are already unique and contain all information to distinguish them).
  • Fahimhusain Raydurg
    Optimiztion of Content-Security-Policy settings
  • Swapnil Kothawade
    The wiki pages of perl-Geo-Address-Formatter were editable.
  • Burhan Chhotaudepur
    Better limits for users validating discount codes
  • Brandon Roldan
    Limits against brute-forcing to create additional keys
  • Fahimhusain Raydurg
    Providing huge amount of feedback text during account deletion caused website to become unresponsive
  • Ranjeet Singh
    Tracing a possible email related log4j issue (turned out to be harmless and outside our systems)
  • Shivam Pandey
    Website session handling across multiple devices
    Slack security token found in a public repository (could've been used to send us messages)
  • Aman Rai
    How the password strength estimation on sign up page can consume too much CPU
  • Virendra Tiwari, Armanul Miraz
    Better hiding of software version numbers in HTTP headers
  • Kunal Mishra
    Faster account locking on failed password verification in the user dashboard (when user is already signed in)
  • Tinu Tomy
    Wiki page on public repositories was editable; On incomplete 2FA setup users were able to lock themselves out
  • Anurag Muley
    HTTP Header misconfiguration on our blog
  • Nishant
    Better password advice
  • Nitin Gavhane
    Lower limits for storing user-supplied account data
  • Pritam Mukherjee
    Iframing protection on one of our blogs was not active after a framework upgrade
  • Ayham Alhamza
    Open redirection

Start your free trial

2,500 geocoding API requests per day.

No credit card required.