How it works
We appreciate and reward security researchers who help improve the security of our platform. If you discover a valid vulnerability, you may receive a reward based on its severity level and impact.
Your contributions enhance security for all users, and we value your responsible disclosure efforts.
Severity levels & rewards
| Severity | Reward range |
|---|---|
| Low | $10 – $100 |
| Medium | $50 – $300 |
| High | $100 – $1,000 |
| Critical | $300 – $3,000 |
Reward eligibility
- Rewards are determined based on the severity and impact of the vulnerability.
- Only the first valid reporter of a vulnerability is eligible for a reward.
- Bonus rewards may be awarded at our discretion after the issue is resolved and verified.
Submission guidelines
To qualify for a reward, your submission must:
- Include a detailed vulnerability description with clear reproduction steps.
- Suggest a possible fix or mitigation, if applicable.
- Remain confidential – do not disclose the vulnerability publicly without written approval.
- Avoid social engineering attacks such as Phishing (email-based attacks), Vishing (voice-based attacks), and Smishing (SMS-based attacks).
- Not involve extortion, blackmail, or ransom demands.
Once reviewed, we will notify you via email about the reward and next steps.
Non-qualifying vulnerabilities
- 1. Low-impact or theoretical issues
- Click-jacking, tap-jacking, and tab-nabbing attacks.
- “Theoretical” vulnerabilities without proof of real-world exploitability.
- Self-XSS and Login/Logout CSRF.
- Discovery of admin panels or test environments without security impact.
- 2. Requires specific conditions or non-standard environments
- Requires physical access, MITM attacks, or outdated/jailbroken devices.
- Affects third-party applications/services (unless impacting the main application).
- Attacks on corporate IT infrastructure or employees (including physical security).
- 3. Security misconfigurations without immediate exploitability
- Missing or misconfigured security headers.
- Missing HttpOnly or Secure flags on cookies.
- TLS/SSL issues (weak ciphers, expired certificates, or missing HSTS).
- Mail security misconfigurations (SPF/DKIM/DMARC errors).
- 4. False positives, duplicates, or automated reports
- Automated scanner reports without manual verification or proof of impact.
- Duplicate reports across different domains/platforms., unless platform-specific.
- 5. Social engineering, DoS, and other attacks
- Social engineering, phishing, or spam attacks.
- Denial of Service (DoS) or any attack disrupting availability.
- Data enumeration, brute-force, or CAPTCHA bypass techniques.
- 6. Other non-security issues
- Publicly known files/directories (htaccess, robots.txt, etc.).
- Verbose error messages/banners without exploitability.
Program updates & legal notices
We reserve the right to modify or terminate this Bug Bounty Program at any time and at our sole discretion.
Contact us
Have a question or need to report a vulnerability? Click below to reach our support team.