Reporting Security Issues

We support the security research community and welcome reports of vulnerabilities in our systems. We do not prosecute people who discover and report vulnerabilities to us. Keeping customer data safe and secure is a huge responsibility and a top priority. We work hard to protect our customers from the latest threats. Your input and feedback on our security is always appreciated.

Reporting security problems & awards

We run a public bounty bug program through Federacy, and all vulnerabilities should be reported through our program page:


We respect the time and talent that drives new discoveries in web security technology. The following researchers and companies have gone out of their way to work with us to find, fix, and disclose security flaws safely:

  • Muhammad Hammad - recognized for reporting a cross site scripting vulnerability.
  • Ayaz - recognized for reporting Missing SPF.
  • allmight - Issues with sign-up rate limit and Google login.
  • thewhiteevil - Email id change requests missing session expiration.
  • kiirapookii - Potential Pixelflood vulnerability.
  • w1n73rw0lf - outdated third-party library.
  • w1n73rw0lf - password reset expiration issue.
  • Smaul - SSRF to port scan and xss.
  • dropper - file uploads missing certain restrictions.
  • rapa9981 - file attachments size validation creating potential for DDoS.
  • rapa9981 - Possible account takeover combining "forgot password" and email changes.
  • aashiqui - potential XSS on email.
  • h3rm17w0lf - Blind XSS attack via Shout-outs.
  • renzi - Lack of Rate Limits in certain forms.
  • apatro - potential for DOS using uploads.
  • Smaul - potential for stored XSS.
  • rohan12386 - Turbolinks cache keep the last page even after logout.
  • gowtham - Access Control letting Employee users visit a setting screen.
  • Fahad Faisal, kiirapookii and Moxiaoxi - DoS through cache poisoning.