RESPONSIBLE DISCLOSURE

Bug bounty program.

If you believe you have found a security issue in Foundation hardware, firmware, software, websites, or services, report it privately so we can investigate and fix it responsibly.

Report a security issue PGP security key

In scope

We are primarily interested in vulnerabilities that create a real security or privacy impact for Foundation customers, users, employees, or production systems.

Sensitive data exposure, whether data at rest or in transit
Customer data, API tokens, passwords, private keys, or other secrets
Access control issues, insecure direct object references, or privilege escalation
Cryptographic vulnerabilities in encryption, decryption, signing, or verification code
Signing a transaction without user approval, or signing a different transaction than was shown
Remote code execution, SSRF, CSRF, MITM, and SQL injection with real exploitability
Circuit board, secure boot, firmware update validation, or downgrade vulnerabilities

Out of scope

These reports generally are not eligible for payment unless they are accompanied by a concrete exploit path and meaningful impact.

Development or staging systems, third-party integrations, booking, or docs subdomains
SSL/TLS version reports, weak ciphers, or expired certificates without a direct exploit
Denial-of-service attacks
Self-XSS without a reasonable attack scenario
SPF, DKIM, or DMARC reports
Security headers that do not directly lead to a vulnerability
Vulnerable software version disclosure without proof of vulnerability
Reports solely from automated scanners without a real exploit
Brute-force attacks and issues unrelated to the security or privacy of our users

REQUIREMENTS

Report privately. Keep users safe.

Public disclosure is welcome after Foundation has identified, reproduced, and patched the issue, and after you receive written confirmation from Foundation.

Use test payment methods only and avoid disrupting live transactions.

Act in good faith. Ransom demands, abuse, or active exploitation will disqualify the report.

Do not include sensitive customer data in your report. Describe how to reproduce the issue instead.

Keep communication professional and provide enough detail for Foundation to reproduce the issue.

Report privately first. Public disclosure should wait until Foundation confirms the issue is resolved.

PAYOUT TABLE

Web security bug bounty rewards.

Bugs related to Passport products and Envoy are handled case-by-case and are separate from the table below.

Tier	Payout	Examples
Critical	$500	Payment bypass, credit card data exposure, remote code execution, administrative authentication bypass, SQL injection affecting payment or customer data.
High	$200	Customer information disclosure, unauthorized order access, stored XSS in checkout flows, CSRF affecting administrative functions, session hijacking.
Medium	$100	Information disclosure of non-sensitive business data, reflected XSS, missing authorization on lower-impact functions, limited directory traversal.
Low	$50	Minor information leakage, limited security misconfiguration, clickjacking on non-sensitive pages, email enumeration through contact forms.

REPORT

Send the report securely.

Use the form and choose Security disclosure. If you need to encrypt details, use the PGP security disclosures key.

View PGP security key