We do pay bounties on discovered vulnerabilities or security-related issues. In order to get paid the following must be true.
#1 The vulnerability must be unique
If we receive multiple reports, the first to report will get the bounty. We may pay out, at our discretion, nominal secondary notification fees to encourage future discovery.
#2 The vulnerability must be reproducible
We will not pay for any vulnerability that cannot be reproduced. We will not pay out bounties on YouTube videos that demonstrate a vulnerability that cannot be reproduced.
#3 Must have an attack scenario
The attack must have distribution capability through our systems. Please explain distribution capability. For instance, leveraging our API and then writing malicious scripts would not count as this would be no different than just writing a page with malicious scripts.
|Remote code execution
|Command injection, deserialization bugs, sandbox escapes
|Unrestricted file system or database access
|Logic flaw bugs leaking or bypassing significant security controls
|Direct object reference, remote user impersonation
|Map Security Vulnerabilities
|Improper map exposure
|Execute code on the client
|Other valid security vulnerabilities
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.
Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.