Responsible Disclosure Policy

Our users trust us with their data, so we try and live up to that trust by keeping the safety and security of customer data a top priority in all the work that we do.

We welcome responsible disclosure of security vulnerabilities, via email, to [email protected].


We cannot offer cash compensation for security reports.

If we assess the problem you report as particularly critical, or we can see you’ve spent significant effort to find it, we may reward you with some swag - a digital badge (if you’re an active user), stickers, or a t-shirt - in addition to crediting you on this page.

Rules for you

  • Do not deliberately access data that does not belong to you. If you discover a vulnerability that allows access to other users data, stop immediately, and report your findings.
  • Avoid actions likely to result in data deletion or service disruption while you test any potential vulnerability.
  • Do not execute, or attempt to execute, a Denial of Service (DoS) attack.
  • Do not run automated tools or “bots” against our systems without prior coordination.
  • Do not try to abuse our resources; this includes attempting to trigger unsolicited or otherwise unauthorized emails.
  • Do not attempt to blackmail us, or try to sell us your security report. We do not offer cash compensation for security reports.
  • Do not send us reports from basic tools such as Qualys SSLLabs, mxtoolbox (e.g. lack of a DMARC reject record), etc. We consider reports from these tools beg bounties and will treat them as spam.
  • Do not report vulnerabilities that appear to be deliberate product design choices (e.g. the ability to sign up and use our services without confirming an email address).

In return, we promise that..

  • We will not take any legal action against you, if you have made a good faith effort to follow the rules above.
  • We will reply to correctly submitted reports, after making our own risk assessment of their severity, and we’ll let you know when we’ve fixed the issue.
  • If you want (we’ll ask first), we’ll acknowledge your work by putting your name and a link to your website or social media handle on a list of contributors below.