OverviewData security and privacy are key aspects of our service. We welcome outside help through our bounty program to make us aware of any gaps in our security. To participate you wll need to follow a few rules:
- Be a good citizen: Do not disturb the service. Follow the terms and conditions. Avoid automated testing.
- Only test with your data. Do not interact with other accounts.
- Do not create more than one account.
- If you gain access to our system, report it immediately.
- Do not publish any information regarding the vulnerability until we have fixed it.
- We only award one bounty per vulnerability. If we receive multiple reports, the first one will receive the reward.
Finally, please keep in mind this security bounty program doesn’t concern regular bugs in our application or API. We're only interested in security flaws allowing intruders to gain access to data of other users. If you wish to report a regular bug, contact us.
Reports we want
- Tampering with data of other users.
- Bypassing our API's security.
- Cross-site scripting (XSS).
- Server-side code execution.
Examples of Non-Qualifying exploits
- Denial of service attacks.
- Social engineering.
Reports we don't want
- Missing DNSSEC configuration.
- SSL BEAST/CRIME/etc
- Email spoofing, SPF, DMARC & DKIM