Bug Bounty Program

Because we appreciate the interest of our community members in the security of our systems, we have created a program to allow community members to probe our systems for certain weaknesses, and to receive an award for the discovery of those weaknesses.

If you comply with the following rules and act in good faith, we will respond as quickly as possible to fix vulnerabilities, will keep you updated on the progress, and will not take legal action against you.


  1. Don't attempt to access an account you didn't create, or data related to people other than yourself.
  2. Don't perform any attack that could harm the integrity of our data.
  3. Don't perform any attack which could interfere with others' use of our systems. Denial-of-Service attacks are not allowed.
  4. Never attempt physical attacks.
  5. Don’t publicly disclose a bug before it has been fixed.
  6. Only test for vulnerabilities on sites which are directly operated by us. The following sites are a safe bet:

We promise not to take any legal action against you only if you abide by the rules of this program, including requirements for what data you access and what rewards are available. If you take actions outside this program, particularly if in bad faith, we may contact law enforcement.


As a small non-profit, we don't have the ability to award cash grants, but do offer the following:

We have final discretion as to what reward, if any, a disclosure qualifies for. Free admission only applies to events you are otherwise eligible to attend, and you may still be removed or banned from participation for violations of rules or the code of conduct. Free admission does not include indirect costs, like transportation.

Excluded Vulnerabilities