Guidelines and conditions
- Your testing must not violate any law.
- Do not DDoS or otherwise disrupt, interrupt or degrade our services.
- Please use your own account for testing or research purposes.
- Do not attempt to gain access or information that does not belong to you, beyond the minimum necessary to demonstrate the vulnerability.
- Do not permanently modify or delete hosted data.
We encourage the disclosure of the following eligible vulnerabilities:
- Information Disclosure
- Cross-site scripting
- Cross-site request forgery in a privileged context
- Server-side code execution
- Authentication or authorization flaws
- Injection Vulnerabilities
- Significant Security Misconfiguration
Out of scope and exclusions:
- Missing http security headers.
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
- Social engineering (such as phishing emails to our staff).