Responsible Vulnerability Disclosure

Last updated at: July 06, 2022

We care deeply about keeping our customers’ data safe and secure. Your input and feedback on our security is always appreciated. Note that at the moment we do not offer bug bounties other than good karma.

Reporting an issue

Please send a report to [email protected] with details like:

  • a summary of the problem,
  • a PoC or breakdown of how to replicate the issue,
  • the operating system name and version as well as the web browsers name and version that you used to replicate the issue.

Here’s how the process will go from there on:

  • we will acknowledge your report,
  • we will investigate the issue,
  • we will provide a fix to the production servers.

Note that we may not respond to your email, and due to security reasons we won't click to any link or open any attachment received via email.

Things we’re interested in

We are interested in any vulnerabilities related to the website and application such as:

  • authentication issues,
  • server-side code execution,
  • circumvention of our Platform/Privacy permissions model,
  • cross-site scripting (XSS) with meaningful exploit potential,
  • cross-site request forgery (CSRF/XSRF) (this excludes logout CSRF).

Our ask

We’d like to ask you to search for and report vulnerabilities responsibly, with the following principles in mind:

  • please avoid techniques that might degrade the service for others (DoS, spamming, etc.),
  • do not exfiltrate data from our infrastructure (including source code, data backups, configuration files etc.),
  • if you obtain remote access to our system, report your finding immediately, do not attempt to pivot to other servers or elevate access,
  • don’t try to access or manipulate other customers' data; only test on your own account,
  • please keep the vulnerabilities secret until you’ve notified us, and we’ve had adequate time to remedy the issues.


If you have questions or suggestions, please email us at: [email protected].