Limit your report to the most serious vulnerability found.
This is a vulnerability disclosure program and not a bug bounty.
System owners have not given you any permission for recon, scanning or testing.
If reporting subdomain takeover, report all related subdomains in the same report and do not provision the subdomain yourself or publish anything to the subdomain.
If reporting cross-site scripting, provide the browser name, version and platform.
Once a report has been triaged, we will attempt to contact the system owner on your behalf. However, this may take a long time. We will keep you informed of any progress, so you don’t need to ask for updates.
The report will be shared with other relevant parties.
The affected owner holds responsibility for resolving the issue.
You must comply with all relevant applicable laws.
