Responsible Disclosure Guidelines

✅ What You Should Do

Read the program scope carefully
Each program has specific targets and rules. Only test systems explicitly listed in scope.
Use your own accounts
Create test accounts when possible. Never use real customer data or accounts.
Document everything
Take screenshots, save HTTP requests/responses, and provide clear reproduction steps.
Report promptly
Submit your findings as soon as possible. Don't share vulnerabilities with others before disclosure.
Be patient
Allow time for triage and patching. Response times vary by program.

⚠️ Prohibited Activities

Engaging in any of the following will result in immediate disqualification and potential legal action.

Never access non-public data
Don't view, download, or store customer data or personal information.
Don't modify or delete data
Never alter, delete, or corrupt data in any system.
No Denial of Service attacks
Don't attempt to overwhelm systems with excessive traffic.
Don't exploit beyond proof-of-concept
Stop once you've confirmed the vulnerability. Don't pivot to other systems.
No social engineering
Don't attempt to manipulate employees or support staff.
Don't share vulnerabilities
Keep findings confidential until disclosed by the program.

Critical

500+ points

Remote code execution, SQL injection leading to data breach

High

250-499 points

Stored XSS, IDOR exposing sensitive data

Medium

100-249 points

Reflected XSS, CSRF on sensitive actions

Low

25-99 points

Missing security headers, verbose error messages

1

Use our submission form with detailed reproduction steps.

2

Our team reviews and validates your report within 2-5 business days.

3

Severity is assigned based on CVSS and business impact.

4

Points and cash rewards are processed after verification.

🛡️ Safe Harbor

We support the principles of responsible disclosure. When you follow these guidelines: