CordCatCordCat
Responsible disclosure

Break it, report it, get credited.

We built this fast and we know it isn't perfect. If you find something that actually breaks things, not just a scanner report, we want to hear about it. No corporate runaround, just a real response.

We're a small team running a real platform, and the data we handle is sensitive. Find a real vuln, report it properly, get credited. That's the whole thing.

[email protected]PGP key available on request.

What you get for what you find.

Severity drives the reward. Higher impact, bigger recognition. Every valid report lands you in the Hall of Fame.

Critical

RCE, auth bypass, mass data leak

Lifetime unlimited API key + Hall of Fame

High

IDOR, privilege escalation, SQLi

Hall of Fame + recognition shoutout

Medium

Stored XSS, CSRF

Hall of Fame

Low

Info disclosure, minor issues

Hall of Fame

Critical finds get a lifetime unlimited API key

Find something genuinely critical, RCE, mass data leak, or full auth bypass, and you get unlimited API access forever. No expiry, no rate limits, ever.

Scope what counts, what does not.

We care about

  • Authentication bypass / account takeover
  • Privilege escalation (user to admin)
  • SQL injection or other injection attacks
  • Stored or reflected Cross-Site Scripting (XSS)
  • CSRF on state-changing endpoints
  • Sensitive data exposure (API keys, user data)
  • Server-Side Request Forgery (SSRF)
  • Remote Code Execution (RCE)
  • Insecure Direct Object Reference (IDOR)

Save your breath

  • Denial of service (DoS / DDoS)
  • Rate limiting bypass without impact
  • Social engineering / phishing attacks
  • Issues in third-party dependencies without a working PoC
  • Missing security headers with no proven impact
  • Scanner output without PoC
  • Self-XSS

Ground rules

01

Don't touch data that isn't yours. Seriously.

02

No DoS. We'll notice and we won't be happy.

03

Keep it to yourself for 90 days while we patch it.

04

Give us a real PoC with steps to reproduce, no vague claims.

05

Only test against accounts you own.

06

Don't be a jerk about it.

Found something? Send it over.

Send a clear PoC, reproduction steps, and impact description. We'll get back to you fast.

[email protected]

PGP key available on request.