Does SlimFAQ have a Vulnerability Reward Program?

Last updated 4 months ago

While we don't have an established Vulnerability Reward Program, we do encourage you to report any security issue responsibly to


The vulnerability you are reporting must be directly related to one of the following domains: 


Permissible security research

We only allow security research, that -

  • Makes a good faith effort to avoid affecting third party services or their availability;
  • Makes a good faith effort not to affect or disclose other users' accounts, personal data, or content, and not to affect service availability to other users;
  • Only uses user account(s) that belong to you personally (you are allowed to create several accounts specifically for the purpose of conducting security research for this vulnerability reward program);
  • Only targets user account(s), user data or personal data that belong to you personally, or are bogus test data;
  • Only uses or targets clients that have been installed on hardware you yourself own and operate;
  • Only uses methods that are in compliance with your local and European laws;
  • Does not use malicious or destructive payloads beyond what is technically required for a benign proof-of-concept demonstration;
  • Only targets services or products listed above, with the appropriate exclusions.
If you have any questions about whether a certain type of research is permissible, or whether a given target is in scope, contact us at before conducting the research.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include: 

  • Cross-site scripting;
  • Cross-site request forgery;
  • Mixed-content scripts;
  • Authentication or authorization flaws (not including brute force attacks);
  • Server-side code execution bugs;
  • SQL injections.


The size of the reward is solely determined by the SlimFAQ team and is based on the estimated risk posed by the vulnerability. The current reward range is from USD 50 to USD 120.

If you report several issues that are duplicated in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one, and only one reward may be paid.