Security (VDP)

Last Updated: Nov 11, 2019 is committed to working with experts across the globe to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. Please let us know about it and we'll make every effort to quickly correct the issue.

DO NOT use automated scanning tools

* Website related endpoints on
*API related endpoints on *

Minimum reward is $100 for security vulnerabilities. The reward depends on the vulnerability severity. Issues without security impact are not eligible for a bounty, yet still welcomed and will be treated like any other report.

* You must be the first reporter of the vulnerability.
* You may not publicly disclose the vulnerability prior to our resolution.
* You provide a working proof of concept that exploits the security issue.

* Login/Logout CSRF
* DDoS
* Social engineering on customers or employees of
* Miss of rate limits
* Report from automated tools and scans
* Vulnerabilities sending spam or unauthorised messages
* Bugs in 3rd party software
* X-Frame-Options related
* Missing security headers which do not lead directly to a vulnerability
* Physical attack on the infrastructure
* Theoretical attacks
* Breaking of SSL/TLS trust
* Compromising of browser/device (ex. computer sharing, physical access to a user's device, ...)
* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
* Password and account recovery policies, such as reset link expiration or password complexity
* Outdated DNS record pointing to system which does not belong to

Contact with findings and questions.