Responsible Vulnerability Disclosure Program

At, we truly value the contribution that ethical and responsible security researchers play within the industry. The role that they play not only helps the reputation of our organization, but also protects the safety and privacy of our customers. In the spirit of responsible disclosure, we have implemented a program to permit the discovery of security-related issues with the possibility of rewards upon responsible disclosure. Please review below for the rules, guidelines, and eligibility of the program.

In-Scope Sites

In general, any site or affiliate company is eligible for participation under this program. Some of the sites are:


If you are questioning the eligibility of a particular site, whether it is owned / operated by and it falls under the terms and conditions of this program, please do not hesitate to contact us at

Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of our site is likely to be in scope for the program. Common examples include:

  1. Cross-site scripting
  2. Authenticated cross-site request forgery
  3. Mixed-content scripts
  4. Authentication or authorization flaws
  5. Server-side code execution bugs
  6. Insecure direct object references

Click-Jacking will not qualify as an acceptable vulnerability for reward at this time.

Any vulnerability that would be considered as customer impacting (social engineering, denial of service, etc.) should not to be tested. If any activities are discovered that have a negative experience or degradation of service to our customers, we will classify this as unauthorized activities and will be treated as such.

Automated scanners are generally discouraged, and may get blocked by our automated prevention controls. If scanning is required, they should be focused on a particular property (i.e., single page or section) at our site, so to not create a lot of unwanted traffic.

If you are investigating issues that could potentially lead to disclosing sensitive information, you should target your own account, as the disclosure of our customer information is prohibited.

Reporting Issues

If you believe you have found a vulnerability contained within one of our sites, please let us know by sending an email to Please be sure to include the following information within the email.

  • Full Name
  • Contact Email
  • URL / Location of Vulnerability
  • Steps to Recreate / Proof of Concept
  • Any other supporting information

Please submit only one (1) vulnerability per email, as this will help expedite the review process.

Once you submit an issue for investigation, we will confirm that we have received the submission and let you know of next steps. Typically, we will confirm within two (2) weeks of the confirmation of submission on whether the issue submitted was accepted and warrant any rewards.


If the vulnerability submitted is found to have a significant impact into the security or privacy of our site and customers, then you may be eligible for a monetary reward. There are, however, some restrictions to this.

The following must be true for you to be eligible for a reward:

  • You must not be a resident of or have submitted the vulnerability from a county that the United States have deemed sanctions or trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria)
  • You must not be an employee, or an immediate family member of an employee with, or its related affiliates or subsidiaries.
  • All laws and regulations were followed during your investigation of issues.
  • All Responsible Vulnerability Disclosure rules and guidelines must have been followed, and
  • You must be the first person to disclosure the vulnerability to us.

Rewards are determined by our security and management after the investigation has been completed. We review to ensure that the issue is confirmed on our site, and determine the potential impact to our services and customers.

Rewards are paid at a minimum of $300,  and escalate depending on the severity and impact to the vulnerability. All rewards payouts and amounts are in sole discretion of and may adjust amounts based on unique factors.

Payouts are made only after remediation has occurred on the submitted issue. If you are to be eligible for rewards, you must not publicly disclose any information about the vulnerability.

All payouts will be made via a verified PayPal account. We will ask for your PayPal account information once the vulnerability has been verified and you are approved for a reward distribution. There may be other considerations for means of payouts, but these are approved on a case-by-case basis.

All rewards will be made in United States dollars (USD).  You will be responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.


For those who have helped us, we offer our sincerest thanks!

Special Acknowledgements