Security Disclosure Policy is deeply grateful for the diligent and ethical investigations into security vulnerabilities by security researchers. We adhere to the principle of responsible disclosure to safeguard our user base to the utmost from the repercussions of security weaknesses. Our commitments include:

  • Prioritizing the response to security incidents.
  • Collaborating with researchers to determine an appropriate timeline for disclosing the vulnerability reported. Within this period, we will either address the issue or choose to accept the associated risk, followed by a disclosure of the vulnerability.
  • Guaranteeing transparency with our community regarding incidents that may impact them.
  • Typically aiming to resolve vulnerabilities within 90 days from the acknowledgment of your report, though some complex vulnerabilities may necessitate a longer timeframe (up to 120 days). In scenarios where a vulnerability poses significant disruption and/or is easily exploitable, we may withhold technical details for a brief period post-resolution (not exceeding 30 days) to ensure community safety.

Should you discover a security vulnerability within, we urge you to disclose it in a responsible manner by reaching out to us via email at [email protected]. We strongly advise against discussing potential vulnerabilities in public forums without prior confirmation from our team.

Upon receiving a report, our security team will:

  • Assess the report, validate the vulnerability, and either confirm the findings or request additional information; our aim is to respond within 24 hours.
  • Notify the researcher once the security issue has been rectified, at which point they are encouraged to publicly disclose the vulnerability, should they choose to do so.

Exclusions: The following outlines known non-issues or areas we do not classify as vulnerabilities. Please refrain from submitting reports concerning:

  • Issues related to SPF or DMARC. does not typically offer bug bounties. Contributions towards identifying security vulnerabilities are recognized in our Security Hall of Fame, honoring those who have responsibly disclosed such issues in the past.