Found something? Tell us.

How to report

Email security@wehackitbeforetheydo.com. Encryption optional but appreciated — our PGP key fingerprint and a public link are in our security.txt.

What's helpful in a report:

• The URL or system affected.
• Reproduction steps. Working PoC ≫ a vague description.
• Your assessment of impact.
• Whether you've shared the finding with anyone else.

What we promise

• We acknowledge every report within 2 business days.
• We share an initial triage decision (in scope, accepted, duplicate, etc.) within 7 days.
• We won't pursue legal action against you for testing in good faith within the scope below.
• We credit reporters in our hall of fame if they want it. Anonymous is fine too.

Scope

In scope:

• wehackitbeforetheydo.com and any subdomain we operate
• Our customer dashboard (when live)
• Anything that loads from the above (CSS, JS, fonts, images)

Out of scope:

• Findings against systems we don't own (CloudFront edge, our DNS provider, etc.). Report those to the vendor.
• Volumetric DoS / DDoS — please don't.
• Social-engineering our team.
• Physical access to our offices or staff.
• Best-practice findings without a demonstrated impact (e.g. "you're missing X header somewhere"). We'll take the note but it's not a vulnerability.

Rules

• Don't access, modify, or delete other users' data. If you can prove the bug without doing that, please do.
• Don't run automated scans that generate significant load. A few requests to demonstrate is fine.
• Give us reasonable time to fix before going public — typically 90 days. We'll work with you on the timeline.

Bounty

We don't run a paid bug bounty yet. We say thank-you, credit you publicly if you want it, send merch on request, and will absolutely write you a recommendation letter for the work. A formal bounty program may come later.

Hall of fame

The researchers below have helped us stay honest. Thanks.

Empty for now. Be the first.

Contact

security@wehackitbeforetheydo.com · machine-readable policy: /.well-known/security.txt