1. What is a vulnerability report?

A vulnerability report is a document submitted by security researchers or users who have discovered a flaw in our system or infrastructure. This report highlights the potential risks to security and privacy, helping us identify and resolve issues before they can be exploited.

2. How do I report a vulnerability?

If you’ve discovered a vulnerability, please submit it through our security center. Ensure your report includes clear, reproducible steps to help us investigate the issue effectively. Do not contact individual employees for reporting vulnerabilities.

3. What kind of vulnerabilities are eligible for a bounty?

Vulnerabilities that impact the security or privacy of our platform and can be exploited to compromise data, access accounts, or affect the integrity of our system are eligible for a bounty. The severity of the vulnerability determines the reward, with critical issues receiving the highest reward.

4. Do I need permission to test the system?

You do not need explicit permission to test for vulnerabilities within the scope of the program, as long as you follow the Fundamentals outlined in our security policy. This includes avoiding interference with private accounts and ensuring no harm is done to our services or other users.

5. Will I be rewarded for my submission?

Rewards are given at our discretion and depend on the severity and impact of the vulnerability you report. Detailed, reproducible reports are essential for eligibility, and we offer bounties for vulnerabilities with varying levels of severity: Critical (£200), High (£100), Medium (£50), and Low (£20).

6. How long does it take to process my report?

We investigate all valid reports and prioritize them based on their risk and impact. Due to the volume of reports, it may take some time before we respond, but we aim to review and address each issue as quickly as possible.

7. Will you publish my report?

We reserve the right to publish reports once a vulnerability has been resolved. If you prefer to remain anonymous, please indicate this in your report, and we will respect your wishes.

8. What happens if I accidentally cause a privacy violation while testing?

If you inadvertently access private data or cause disruptions during your testing, please disclose this in your report. We will consider this when evaluating the severity and impact of the vulnerability and ensure that it is handled appropriately.

9. Can I report a vulnerability I discovered in third-party integrations?

While we encourage the reporting of vulnerabilities in any system that interacts with our platform, it’s important to only report vulnerabilities that directly affect our services. If the issue is with a third-party service, we recommend contacting the third-party provider.

10. Can I continue my testing after submitting the report?

Once a vulnerability has been reported, you should not continue testing unless you have been explicitly authorized by us. We will assess the issue and notify you of any further actions that may be needed.

Additional Questions

If you have any other questions or need further assistance, please don’t hesitate to reach out to our support team via email. We’re here to help!