Vulnerability Disclosure Policy

We have a vulnerability disclosure policy covering our service. If you think you have found a security vulnerability in Subsquat, please report it to us straight away. Please include detailed steps to reproduce and a brief description of what the impact is.

We encourage responsible disclosure (as described below), and we promise to investigate all legitimate reports in a timely manner and fix any issues as soon as we can.

Responsible Disclosure Policy

We ask that during your research you make every effort to maintain the integrity of our users’ data, avoiding violating privacy or degrading our service. You must give us reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.

Hall of Fame

As a measure of our appreciation for security researchers, we are happy to give full credit in any public postmortem after the bug has been fixed, and we offer the opportunity for security researchers to be featured in our Hall of Fame is their report satisfies the appropriate criteria.

To qualify for our Hall of Fame, you must:

  • Follow our responsible disclosure policy (see above).
  • Report the bug to us first, and give us reasonable time to fix the issue before making it public.
  • Be the first person to report the issue to us.
  • Use only an account that you control. Never interact with other accounts without the owner’s consent.
  • Find a bug that could allow access to private user data, or enable access to a system running Subsquat infrastructure.

Examples of valid vulnerability types include:

  • Authentication or session management issues
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Remote Code Execution
  • Privilege Escalation

The decision of whether a report qualifies for a bounty is solely at the discretion of Subsquat. Hall of Fame eligibility will be determined by our security team after taking into account the severity of the vulnerability, the number of users potentially affected etc.


Some security elements are excluded from the scope of our policy.

These are subject but not limited to:

  • Non-technical attacks such as social engineering, phishing, or physical attacks against our staff, users, or infrastructure.
  • Attempts to brute force access to any areas requiring authentication.
  • Anything related to enumeration of usernames does not qualify.
  • Outdated software/library versions.
  • DMARC, DKIM and SPF related issues.
  • Insecure settings in non-sensitive cookies.
  • Missing HTTP headers, unless a vulnerability can be demonstrated.
  • Bugs related to unpatched, out of date, or exceedingly rarely used browsers or other client software out of our control.
  • Clickjacking on pages with no sensitive actions.
  • Reports about “leakage” of the fact we run nginx, or the version number, or Perl module names or file paths.

Hall of Fame

  • We have not yet received any reports which have qualified for Hall of Fame eligibility.

Last updated: 12th August, 2023