Do you have a bug bounty program? How do I report a security issue?

We have a public vulnerability disclosure policy but no paid bug bounty program at the moment.

If you've found a security issue in Oh Dear, please email [email protected]. Include enough detail for us to reproduce it: the affected URL or endpoint, the steps to trigger it, what you'd expect to happen versus what actually did happen, and any relevant request or response data.

Our commitments when you report something:

  • We respond within 24 hours
  • We won't pursue legal action against security researchers acting in good faith (safe harbor)
  • We keep you in the loop on our progress while we work on a fix
  • We ask you to give us a reasonable window to fix the issue before disclosing it publicly

The full policy lives at ohdear.app/security, and we also publish a standard security.txt with the same contact details.

No cash rewards, but a free year of Oh Dear

We don't pay out financial bounties. What we do offer, if the vulnerability is confirmed, is a free Oh Dear subscription for 1 year as compensation. On top of that, happy to credit you in our security acknowledgements if you'd like that.

If you were hoping for a paid program: we understand, and we get the occasional request. We're a small team, and running a proper paid bounty program (triage, payouts, duplicate handling) is a serious commitment we haven't taken on yet.

For general privacy and compliance questions (GDPR, SOC 2, data handling), see our privacy policy and SOC 2 FAQ.

Related Questions

View all Billing & Account questions →

Want to get started? We offer a no-strings-attached 10 day trial. No credit card required.

Start monitoring

You're all set in
less than a minute!