Security & Vulnerability Reporting

We appreciate the efforts of security researchers and provide a secure means for disclosing vulnerabilities responsibly.


The primary reward for reporting qualifying vulnerabilities is your name on our Hall of Fame page.
At our discretion, additional rewards will be given for distinctly creative or severe bugs.

How do I report a vulnerability?

Please contact our Security Team at (PGP key can be found at the bottom of this page).
Please include any of the following when reporting:
  • Proof of concept
  • Tools used to find/exploit the vulnerability
  • Tool output

Our Rules

  • No unauthorized access of another individual’s account or data.
  • No attacks that could affect the reliability/integrity of our services or data.
  • Please respect responsible disclosure – we will fix all valid issues as soon as we are able.
  • Only test for vulnerabilities on a domain owned by Firstbird. Some sites hosted on subdomains are operated by third parties should not be tested.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Please Note:
If sending your report via video, please ensure that it is not hosted on a public platform such as YouTube.
We do not accept bugs that have already been submitted by another user, or that we are already aware of.
Vulnerabilities that Firstbird determines to be an acceptable risk will not be eligible for acceptance.
If we validate and accept your report as being non-trivial, valid and not yet reported, we will add you to our Hall of Fame.

Secure Communications

The following PGP key can be used for sensitive information:

See how it can work for you

Find out everything you need to know in our daily web demo