Bugs
Please don’t scan, probe, or test without written permission. Unauthorized testing is prohibited. If you’re part of an approved program, follow the scope and rules in writing:
- No social engineering or physical attacks.
- Do not access user data beyond proof of impact.
- Include clear steps to reproduce.
- Allow 72 hours for confirmation.
- Auth + session handling
- Payment + token flows
- Public API endpoints
- Privilege escalation
- Rate limiting only
- Self-XSS without impact
- Third-party services
- DoS testing
- Critical: $2,000 - $5,000
- High: $800 - $1,500
- Medium: $250 - $600
- Low: $100 - $200
