We're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:

• Follow HackerOne's disclosure guidelines.
• Pen-testing Production:
  • Please setup a local environment instead whenever possible. Most of our code is open source (see above).
  • If that's not possible, limit any data access/modification to the bare minimum necessary to reproduce a PoC.
  • Don't automate form submissions! That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.
  • To be eligible for a bounty, please follow all of these guidelines.
• Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability.

We also expect you to comply with all applicable laws.