We're a security company — we take vulnerability reports seriously and treat researchers with respect.
We do not currently operate a paid bug bounty program. We offer public acknowledgement and a heartfelt thank you. We review this policy annually and may introduce bounties in the future.
Send your report by email. Include as much detail as possible. Please do not submit vulnerability reports through public channels (GitHub issues, Twitter, etc.).
Email [email protected]