This project takes security & privacy seriously. While there is no huge budget, I would like to reward hard work in helping to improve the project by providing these guidelines and a bounty program.

• Must result in the following:
  • Remote code execution (ex. Log4shell)
  • Unauthorized access to data (ex. SQLi attacks)
  • Denials of service exploits, web request exploits
  • Retrieval of secrets (ex. system information, keys, user data)
  • Account takeover or unintended bypassing/manipulation of restrictions
  • Failure in encryption (ex. SSL, passwords)
  • Other notable security or privacy concerns
• Must be present on the latest development branch, or a relatively recently published release.
  • This project is not responsible for other instances/forks. If another entity is running outdated or customized versions, it is best to get in contact with them first.
• The issue must have a reasonable scope and impact on users.

Resolutions will be attempted at a best-effort basis (ideally as soon as possible).

To qualify for a bounty, the following should be true:

• The reporter is the first reporter of the issue, and the issue must have not been publicly disclosed.
• The issue is clearly explained with details on reproducing the issue, how it could affect users, and how it could be exploited for gain.
• The issue meets the above reporting criteria.
• Security testing is done locally, and did not negatively impact user privacy or experience.

Bounties will be rewarded through an online payment transfer, or a charitable donation on the reporter's behalf to a local charity. Bounties are awarded at my discretion. Amounts may vary based on severity and impact of the issue, as well as availabilty of funds to pay out to reporters.

There may be a posted notice on how to mitigate the issue once it is resolved depending on the severity.

Please email me using this PGP key. You may expect a response within 48 hours.