Report a vulnerability

If you have discovered a vulnerability that we should know about, we'd welcome working with you.

Please let us know about it, including a reproduction, at and we'll work together to quickly correct the issue.


  • Website related endpoints on *


Security research takes a lot of effort, and we'll show our appreciation in the best way we can, based on the effort involved, severity of the issue, and how responsibly the vulnerability was disclosed.

Paid bounties start at $50.


  • You must be the first reporter of the vulnerability.
  • You do not access data of other users and solely use your created accounts.
  • You may not publicly disclose the vulnerability prior to our resolution.
  • You provide a working proof of concept that exploits the security issue.


  • DDoS
  • Social engineering of Formsort clients or employees
  • Self-XSS, unless it can be used to attack another user
  • Report from automated tools or scans
  • Bugs in our client's sites or infrastructure – but we’ll pass information along to those customers if you let us know.
  • Physical attack on the infrastructure
  • Theoretical attacks
  • Breaking of SSL/TLS trust
  • Vulnerabilities requiring physical access to a user's device
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms