Bug Bounty Program

Because we appreciate the interest of our community members in the security of our systems, we have created a program to allow community members to probe our systems for certain weaknesses, and to receive an award for the discovery of those weaknesses.

If you comply with the following rules and act in good faith, we will respond as quickly as possible to fix vulnerabilities, will keep you updated on the progress, and will not take legal action against you.


  1. Don't attempt to access the account or data of another attendee/user; use a test user.
  2. Don’t perform any attack that could harm the reliability/integrity of our services or data, or which could interfere with others' use of our systems or programs. DDoS/spam attacks are not allowed.
  3. Don’t publicly disclose a bug before it has been fixed.
  4. Only test for vulnerabilities on sites which are directly operated by us. Some sites are operated by third-parties and have their own security vulnerability reporting rules. The following sites are directly operated by us:
  5. Don’t use scanners or automated tools to find vulnerabilities.
  6. Never attempt physical attacks.


As a small non-profit, we don't have the ability to award cash grants, but do offer the following:

We have final discretion as to what reward, if any, a disclosure qualifies for. Free admission only applies to events you are otherwise eligible to attend, and you may still be removed or banned from participation for violations of rules or the code of conduct. Free admission does not include indirect costs, like transportation.

Excluded Vulnerabilities

A Warning

We promise not to take any legal action against you only if you abide by the rules of this program, including requirements for what data you access and what rewards are available. If you take actions outside this program, particularly if in bad faith, we may contact law enforcement.