As contributors to open source and to the IT community in general, we value the work of independent security researchers.

If you’re good enough to spot a vulnerability in our site, we’d love to know about it. We’ll reward anyone who reports a critical vulnerability for the first time.

Just follow the guideline below to ensure that you qualify for a reward and that you don’t violate our Terms and Conditions.

Banking institutions with issues related to fraud/chargeback should contact
Send an email to if you have a fraud-related issue.

Reporting vulnerabilities

  • To send us an email, please check our security.txt file.
  • Encrypt all sensitive information using our
    PGP Key
    Click this link to copy the PGP key.
  • Provide full details of the vulnerability so that we can easily reproduce it.
  • Avoid disrupting or degrading our services in any way. Given the nature of our business, denial-of-service attacks are not welcome at all.
  • Don’t copy, delete, access, or change any data that doesn’t belong to you.
  • Don’t publicise any details of the vulnerability until we’ve had a chance to fix it.
We’ll try to get back to you within 2 working days.