’s Security Bug Bounty Program’s Security Bug Bounty Program

The security community has kindly reported a number of security recommendations and vulnerabilities. We are pausing the program as we fix these vulnerabilities, and will re-open’s Bug Bounty Program next year.

Thanks, looks forward to working with the security community and recognises the importance and value of security researchers’ efforts in helping keep our businesses and customers safe. We encourage responsible disclosure of security vulnerabilities via our Security Bounty Program described on this page.

Program Rules

Please read our entire policy before you start! This will help save you time and reduce the chances of submitting a finding that’s not in the scope.

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be considered .
  • When duplicates occur, we only consider the first report that was received (provided that it can be fully reproduced).
  • We want you to search for bugs, not user data. If you encounter user information during your testing stop immediately and notify us using Further guidance will be provided along with an appropriate recognition for your finding.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Multiple vulnerabilities caused by one underlying issue will be considered as one.
  • Social engineering (e.g. phishing) is prohibited and company will take legal action.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Please follow AWS Penetration Testing Policy
  • Be respectful when interacting with our team, and our team will do the same.
  • Do not perform testing that involves enumerating and/or Brute Forcing Login.
  • Do not engage in conversation in social media, document the finding or disclose the vulnerability without our consent and review.
  • Do not harm or defraud’s systems or our users during your investigation.

In Scope vulnerabilities

  • Stored/Reflected Cross-site Scripting (XSS)
  • Server-Side Request Forgery (SSRF)
  • Authentication or authorization flaws
  • Server-side Remote Code Execution (RCE)
  • Access Control Vulnerabilities (IDOR, etc)
  • XML External Entity Attacks (XXE)
  • Significant security misconfigurations on Platform
  • SQL Injection (SQLi)
  • OWASP Top 10 vulnerabilities
  • CWE-SANS Top 25 Dangerous Bugs

Note: Security issues with significant impact to users will be considered, even if they do not fit the scope categories.

Out of scope vulnerabilities

The following issues are considered out of scope and will not be eligible:

  • Scanner output or scanner-generated reports, i.e report from automated active scanning tool.
  • Fingerprinting / banner disclosure on common/public services/configuration.
  • Clickjacking on pages with no sensitive actions.
  • Content spoofing without embedding an external link or JavaScript.
  • Any vulnerabilities found on subdomains or properties not explicitly listed in scope.
  • Any activity that could lead to the disruption of our service (DDoS) or Rate-limiting issues.
  • CSRF configuration issue without exploitable proof of concept.
  • Missing best practices in SSL/TLS configuration. (Lack of HSTS, additional security headers, etc.)
  • Presence of autocomplete functionality in form fields.
  • Lack of HTTP Only or Secure cookie flags in non sensitive cookies.
  • Reports of vulnerabilities on third party software (e.g. HubSpot).
  • Missing security headers which do not lead directly to a security vulnerability.
  • Flaws affecting the users of out-of-date browsers or plugins.
  • Email bombing and flooding.
  • Enumeration or information disclosure of non-sensitive information.

Testing Scope

We encourage to scope your testing on the below domains ONLY.

Please do not conduct any testing or scanning outside the specified domain or subdomain mentioned below.

In Scope:

Public Repositories

Vulnerability Submission Policy

When submitting a vulnerability please include:

  • A description of the vulnerability and the environment in which it was discovered.
  • Details on application under test and/or service that is affected.
  • Detailed steps that can reproduce the issue.
  • An image attachment (optional). Do not attach any executable files to your email.
  • Please email us at

Triage Process

After email all submissions to (if needed, PGP encryption details are here). Please allow time for triage and the vulnerability to be fixed before discussing any findings publicly.

After receiving a submission, will make a best effort to provide a timely first response. We’ll try to keep you informed about our progress throughout the process.

Rewards and Recognitions

To recognise the important work that security researchers provide, offers monetary rewards of up to USD$500 (minimum reward USD$50), with the final value of the reward determined based on the severity of the reported vulnerability (CVSS score) and business risk set as the exponent (1=high, 2=medium, 3=low) per this calculator.

In order to be eligible for the reward you must have complied with the terms and rules outlined in this document.

Final Notes

The team would like to thank all security reachers for help to keep our customers safe and secure. We applaud your hard work, dedication, and commitment to supporting the bug bounty program. We will make the final decision on bug eligibility and value.

This program exists entirely at our discretion and may be modified or canceled at any time. Any changes we make to these program terms do not apply retroactively.

Thanks all security researchers for their help to keep safe and secure.