Please note that this program only offers thanks for bug submissions - it is a vulnerability disclosure program for my personal projects and source code.
Include a PoC and complete steps to reproduce your report. Reports must be practical and have demonstrable security implications, not just be a theoretical scenario or a missing best practice.
After a report is resolved, you are welcome to disclose it, blog about it, etc.
I will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. I consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. I will not bring a DMCA claim against you for circumventing the technological measures I have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with this bug bounty policy, I will take steps to make it known that your actions were conducted in compliance with this policy.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not me), that third party may determine whether to pursue legal action. I cannot and do not authorize security research in the name of other entities.
I will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that I can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.
In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, I reserve no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.
Contact us if you want more information.