Responsible Disclosure

We encourage everyone to practice responsible disclosure and comply with our policies and terms of service.

Please do not use automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them.

You can report vulnerabilities by contacting Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.


  • *

Accepted vulnerabilities include the following:

  • Account/email enumerations
  • Attacks that could harm the reliability/integrity of our business
  • Authentication issues
  • Cross-Site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • Command/File/URL inclusion
  • Code execution
  • Code or database injections
  • Logout CSRF
  • Open redirect

This program does NOT include:

  • Denial of Service (DoS)
  • Spam attacks
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Mixed content warnings
  • Content spoofing / text injection
  • Timing attacks
  • Social engineering
  • Phishing
  • Insecure cookies for non-sensitive cookies or 3rd party cookies
  • Exploits that require physical access to a user's machine

Attain. Maintain.
Prove It Anytime.

© 2023 All rights reserved.
Disclaimer: The appearance of U.S. Department of Defense (DoD) visual information does not imply or constitute DoD endorsement.