Site security

As contributors to open source and to the IT community in general, we value the work of independent security researchers.

If you’re good enough to spot a vulnerability on our site, we’d love to know about it.

We’ll reward anyone who reports a critical vulnerability for the first time. Just follow the guidelines below, and don’t violate our Terms and Conditions.

Reporting vulnerabilities

  • To send us an email about site security (and site security only), please check our security.txt file.
  • If you think you have found a security vulnerability, please don’t hesitate to visit our HackerOne Bug Bounty Program.
  • Encrypt all sensitive information using our PGP Key.
  • Provide full details of the vulnerability so that we can quickly reproduce it.
  • Avoid disrupting or degrading our services in any way. Given the nature of our business, denial-of-service attacks are not at all welcome.
  • Don’t copy, delete, access, or change any data that doesn’t belong to you.
  • Don’t publicize any details of a potential vulnerability until we’ve had the chance to fix it.
We’ll try to get back to you within two working days.

Reporting fraud

If you’re looking to report fraud, or if an unauthorized transaction was made using your payment information, please contact your bank to notify them of the activity. Unfortunately, this is something we won’t be able to help with.
We hack the system,
you fly for less