# Do you have a bug bounty or security contact?

We have a public vulnerability disclosure policy but **no paid bug bounty program** at the moment.

If you've found a security issue in Oh Dear, please email **[security@ohdear.app](mailto:security@ohdear.app)**. Include enough detail for us to reproduce it: the affected URL or endpoint, the steps to trigger it, what you'd expect to happen versus what actually did happen, and any relevant request or response data.

Our commitments when you report something:

- We respond within **24 hours**
- We won't pursue legal action against security researchers acting in good faith (safe harbor)
- We keep you in the loop on our progress while we work on a fix
- We ask you to give us a reasonable window to fix the issue before disclosing it publicly

The full policy lives at [ohdear.app/security](/security), and we also publish a standard [security.txt](/.well-known/security.txt) with the same contact details.

## No cash rewards, but a free year of Oh Dear

We don't pay out financial bounties. What we do offer, if the vulnerability is confirmed, is a **free Oh Dear subscription for 1 year** as compensation. On top of that, happy to credit you in our security acknowledgements if you'd like that.

If you were hoping for a paid program: we understand, and we get the occasional request. We're a small team, and running a proper paid bounty program (triage, payouts, duplicate handling) is a serious commitment we haven't taken on yet.

For general privacy and compliance questions (GDPR, SOC 2, data handling), see our [privacy policy](/privacy) and [SOC 2 FAQ](/docs/faq/are-you-soc-2-verified).