To ensure secure handling of security reports, we strongly encourage you to follow the procedures outlined at securitytxt.org. This protocol is designed to help you securely and privately report vulnerabilities.

If your discovery reveals a high-severity vulnerability and includes a tangible proof of concept (PoC) that demonstrates a real impact on our operations, we would be glad to show our appreciation by offering you our products or exclusive discount codes.

However, if your report is based solely on the use of automated tools to identify low-risk issues, and you are seeking financial compensation, please note that this site does not operate a bug bounty program for such findings.

Examples of issues that are not considered valid security reports:

• Misconfigured DNS records (e.g., DMARC, SPF, DKIM warnings)
• Missing or optional HTTP security headers (e.g., X-Frame-Options, X-XSS-Protection, Content-Security-Policy)
• Clickjacking on public or non-sensitive pages
• Information disclosures that do not involve personal or sensitive data (e.g., server version, technology stack)
• Lack of rate limiting on login or search forms that do not handle sensitive actions
• Use of outdated libraries or components without a known exploit or relevant context
• Debug or verbose error messages on staging or development environments
• Open directories or listing pages without sensitive content
• HTTP to HTTPS redirection findings
• Presence of .gitignore, robots.txt, or similar configuration files
• Publicly accessible analytics or monitoring endpoints without sensitive data
• Self-signed or expired certificates on non-production domains
• TLS/SSL configuration issues that do not pose real-world risks
• Subdomain takeovers that are not exploitable or affect unused subdomains

We encourage researchers to focus on vulnerabilities that could lead to unauthorized access, data exposure, privilege escalation, or other meaningful security impacts.