Severity of bugs will be assessed under the CVSS Risk Rating scale, as follows:
- Critical (9.0-10.0): Up to $100,000
- High (7.0-8.9): Up to $10,000
- Medium (4.0-6.9): Up to $5,000
- Low (0.1-3.9): Up to $1,000
In addition to assessing severity, rewards will be considered based on the impact of the discovered vulnerability as well as the level of difficulty in discovering such vulnerability.
Any vulnerability or bug discovered must be reported only to the following email: [email protected]; must not be disclosed publicly; must not be disclosed to any other person, entity or email address prior to disclosure to the [email protected] email; and must not be disclosed in any way other than to the [email protected] email. In addition, disclosure to [email protected] must be made promptly following discovery of the vulnerability. Please include as much information about the vulnerability as possible, including:
- The conditions on which reproducing the bug is contingent.
- The steps needed to reproduce the bug or, preferably, a proof of concept.
- The potential implications of the vulnerability being abused.
A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount.
Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution, if agreed.
Send E-mail to [email protected]