If you have found a critical security vulnerability, please practice responsible disclosure by reporting it and giving us a chance to respond.
We will consider bounties for disclosures that include a proof of concept and lead to the direct compromise of user data. Reports that are related to best practices including missing headers will not be rewarded.
Please do not run vulnerability scanners against our site. We have our own scans running and will not reward reports found from automated scans.
To keep our security program focused and useful, we disqualify reports that are on Google's list of non-qualifying reports. Please note that this list is a non-exhaustive guideline. If your report falls into one of those categories, it will likely not be rewarded. Please review the list prior to submitting your report.